Skip to main content
Limitless Contractor Marketing
Compliance

TCPA & CASL Compliance for Window Contractors: The Class-Action Risk Hiding in Your Lead Forms

Lead-form non-compliance is one of the most expensive blind spots in residential window & door contractor marketing. Here's what TCPA, CASL, and A2P 10DLC require, and the audit that catches the worst exposures.

April 29, 202611 min readBy The Limitless Team
Window contractor at a workshop bench reviewing a multi-page printed compliance checklist on a clipboard, pen in hand poised to check an item.

Compliance is the most boring topic in contractor marketing and the one most likely to wipe out a year of margin if you get it wrong. The risk profile for residential window & door replacement contractors is specifically elevated because of the channel mix (heavy paid lead-gen with SMS follow-up) and the consumer-facing nature of every interaction.

This is not legal advice. This is what we audit on every contractor account before we touch their lead-response stack, and what we'd encourage every operator to audit on their own setup, ideally before a plaintiff's lawyer or a regulator does it for them.

The three regimes that apply to contractor marketing

1. TCPA (United States)

The Telephone Consumer Protection Act governs commercial calls and texts to U.S. consumers. Key requirements for window & door contractors:

  • Express written consent required before any auto-dialed or pre-recorded call, or any text message, from a business to a consumer.
  • The consent must be specific to the contractor (not a generic “our partners” clause).
  • The consumer must explicitly agree, a pre-checked checkbox does not count, and the consent language must be visible adjacent to the agreement action.
  • Consent record must be retained for at least 4 years.
  • Calling hours: 8am–9pm in the consumer's local time zone.
  • Standard opt-out keywords (STOP, STOPALL, UNSUBSCRIBE, CANCEL, QUIT, END) must be honored, with HELP returning a help message.

TCPA statutory damages are $500-$1,500 per illegally contacted phone number. A class action with 5,000 affected numbers is a $2.5M-$7.5M exposure. Settlements in the contractor space have hit the hundreds of thousands regularly.

2. CASL (Canada)

Canada's Anti-Spam Legislation governs Commercial Electronic Messages, SMS, email, social DMs, to recipients with a Canadian address. Stricter than TCPA in some ways:

  • Express consent required before sending any CEM. Implied consent is narrow and time-limited (existing business relationship within 24 months).
  • Every CEM must identify the sender by legal name + mailing address.
  • Every CEM must include a working unsubscribe mechanism that honors requests within 10 business days.
  • Consent record retention burden is on the sender.

CASL maximum fines: up to CAD $10M per violation for businesses, $1M for individuals.

3. A2P 10DLC + The Campaign Registry (TCR)

Application-to-Person 10-Digit Long Code messaging, what most SMS automation runs on, requires brand registration with The Campaign Registry, campaign approval per use case, and carrier-level vetting. Without registration, your SMS deliverability degrades to single-digit percentages and your sender reputation can be permanently flagged.

Why this matters even if you 'haven't been sued yet'

TCPA class actions are filed by specialized plaintiff's firms that scan public lead-form pages, submit to them, and wait for non-compliant outreach. The discovery phase focuses on consent records, which most contractors can't produce because they were never captured. The absence of a consent record is itself often the case-winning evidence.

The compliance audit: 12 questions to ask of your current setup

Walk through these against your own funnel. If you can't answer “yes” with confidence to all 12, you have exposure to fix.

  1. Does every phone-collecting form display the exact consent text adjacent to the consent action, visible without scrolling?
  2. Is the consent checkbox unchecked by default, requiring affirmative consumer action?
  3. Does the consent text specifically name your business entity(not a generic “Partners”)?
  4. Does the consent text disclose: message types, frequency, carrier disclaimer, opt-out keywords, & HELP keyword?
  5. Are you capturing and storing, server-side, not just on the client, the exact consent text shown, timestamp, IP address, user agent, and page URL at submission time?
  6. Are consent records retained for at least 4 years (TCPA) and indefinitely-or-by-policy for CASL?
  7. Is your A2P 10DLC brand registered with TCR? Brand ID and campaign IDs known and documented?
  8. Are your sample messages pre-approved through TCR campaign vetting and matching what you actually send?
  9. Are STOP, STOPALL, UNSUBSCRIBE, CANCEL, QUIT, END processed within 10 business days (federal floor), and ideally within minutes via your SMS platform's automated handling?
  10. Are messages restricted to the 8am-9pm local-time-zone window?
  11. For Canadian recipients: does every CEM include your legal business name, mailing address, and a one-click unsubscribe?
  12. Is your privacy policy current, public, and reflective of what your stack actually does, including third-party processors named (CRM, SMS provider, email provider)?

The most common failure modes we see

Failure mode 1: implied consent at submission

Form says “by submitting this form, you agree to be contacted.” No checkbox. No specific consent for SMS/auto-dialed calls. This is not TCPA-compliant express written consent. It will not survive contested discovery.

Failure mode 2: consent record exists only on the client

Form has a checkbox. User checks it. Submission goes to your CRM. But the consent textthe user actually saw, the IP address, and the timestamp are not captured server-side with the lead record. If the form copy ever changes, you cannot reconstruct what the user agreed to. This kills the consent record's value as evidence.

Failure mode 3: SMS automation without TCR registration

Sending automated SMS through a commercial provider without registering an A2P 10DLC brand and campaign. Carriers will progressively throttle delivery to single digits, which most contractors interpret as “our SMS isn't working”, when it's a compliance gap. Worse, the senders that survive the throttling are usually the lowest- compliance operators getting away with it temporarily.

Failure mode 4: opt-out handling that doesn't actually opt out

User replies STOP. Your CRM marks them DNC. Two weeks later, an automated drip campaign re-includes them. The federal floor is 10 business days, but federal regulators and class-action plaintiffs both treat re-engagement post-opt-out as evidence of bad faith.

Failure mode 5: privacy policy that doesn't describe the actual stack

Privacy policy was generated from a template four years ago and never updated. It doesn't name your CRM, your SMS platform, your email provider, your analytics tools. CCPA / CPRA require disclosure of these third parties. Outdated policies are easy plaintiff fodder.

What proper compliance looks like operationally

For a residential window & door replacement contractor running paid acquisition with SMS follow-up:

  • Every form has a single clear consent checkbox with the full required disclosure text adjacent.
  • Consent records are written server-side at submission time with IP, user agent, page URL, timestamp, and exact consent text snapshot.
  • A2P 10DLC brand is registered with TCR. Campaign use-case is customer-care (not marketing-promotional, unless you have a separate registered campaign for that).
  • SMS platform handles STOP / HELP keywords automatically, DNC list is honored across all campaigns, and the DNC flag is queryable from your CRM.
  • Privacy policy is reviewed quarterly, lists every active third-party processor, and is versioned with effective dates.
  • Terms of Service explicitly addresses the SMS messaging program, description, age 18+ confirmation, carrier liability disclaimer.
  • Quarterly compliance review where a designated person (internal or contracted) confirms the audit checklist still passes.

What this gets you

A real compliance posture is not just about avoiding fines. Carriers reward compliant senders with higher deliverability, the same SMS message with a properly registered brand and opt-in flow can get 90%+ delivery, while a non-compliant sender gets 5-30%. Compliance is also a sales-side differentiator: contractors who can show their compliance posture to skeptical homeowners convert better, especially with older, more-cautious buyers.

Common questions

“Doesn't my CRM handle this?”

Some CRMs handle pieces of this, STOP keyword recognition, DNC flagging, basic consent capture. None handle all of it. TCR brand registration, server-side consent record retention, privacy-policy versioning, and STOP propagation across platforms are usually outside default CRM scope. The gap between “CRM has consent capture” and “your compliance posture would survive a class action” is non-trivial.

“What if I just don't use SMS?”

You can avoid most A2P 10DLC complexity by skipping SMS automation, but you still face TCPA exposure on auto-dialed and pre-recorded voice calls, and CASL exposure on email marketing to Canadians. The compliance work doesn't go away, it just moves to different channels. And without SMS, your sub-2-minute lead response posture is dramatically weaker, costing you significant pipeline. The lead-response math is here.

“What's the actual cost of getting this right?”

For a contractor running their own infrastructure: roughly 2-5 hours/month of operational maintenance plus an annual legal review, on top of the platform and tooling fees. For a contractor working with a niche-specialist agency, this is usually folded into the retainer. Either way, the cost of compliance is a small fraction of the cost of a single contested TCPA settlement.

$500–$1,500

Per-illegally-contacted-number TCPA statutory damages. A class with 5,000 affected numbers is a $2.5M-$7.5M exposure, multiples of most contractors' annual marketing budget.

Ready to talk numbers on your own pipeline?

45-minute strategy call. Live look at your ad accounts. Written diagnosis you keep, whether you sign or not.

Book a Strategy Call

Final thought

Compliance is the most under-invested area of contractor marketing precisely because it doesn't produce visible wins. You don't get a dashboard saying “congrats, you avoided a class action this quarter.” But the operators who built it properly four years ago are still in business; some who didn't aren't. Audit your stack against the 12 questions above. Where you find gaps, close them, quickly, and with documentation. The cost of getting it right is always lower than the cost of getting it wrong.

This article is for informational purposes only and is not legal advice. For specific compliance questions about your business, consult qualified counsel in your jurisdiction.

Tagged

TCPACASLA2P 10DLCcompliancewindow contractors
All articles

Keep reading

Related articles

Compliance

ADA Web Accessibility for Contractor Websites: The 2026 Litigation Landscape

ADA web accessibility lawsuits hit thousands of small businesses every year, including residential contractors. Here's what the rules actually require and how to comply.

Read more

Compliance

State-by-State Variations in Lead Form & Telemarketing Compliance

TCPA is federal, but states layer on additional requirements. Here's the state-specific variation framework window contractors should know.

Read more

Vendor Selection

Why Most Window & Door Contractors Get Burned by Marketing Agencies (and How to Pick One That Won't)

Most residential window & door contractors have been burned by at least one marketing agency. The pattern is predictable, and avoidable if you know what to look for.

Read more