TCPA Compliance for Lead Generation in 2026: What Every Lead Buyer Needs to Know

In 2026, staying on top of TCPA compliance for lead generation isn't just a good idea, it's a necessity. We've seen a big jump in lawsuits, and the costs can really add up if you're not careful. This article is here to help us understand what's going on and how we can make sure our lead buying practices are solid. We'll cover how to spot bad leads, why proving consent is so important, and what steps we need to take to protect ourselves.

Key Takeaways

• TCPA class action lawsuits have increased significantly, making compliance a top priority for lead buyers. We must understand the financial risks, which can include substantial fines and settlements.

• Lead fraud is a major issue, with a large percentage of online leads being invalid due to bots or fabricated data. This costs businesses billions annually and wastes valuable sales resources.

• Valid consent documentation is critical. The burden of proof lies with the caller, meaning we need robust, verifiable records of consumer consent to avoid violations.

• A multi-layered approach to verification, analyzing numerous data points and employing advanced techniques like behavioral biometrics, is necessary to detect sophisticated fraud.

• Integrating real-time verification into our lead generation workflow, from point-of-intake to CRM, is essential for immediate risk assessment and efficient operations, with speeds under 150 milliseconds being achievable.

The Escalating TCPA Compliance Landscape

We're seeing a significant shift in how the Telephone Consumer Protection Act (TCPA) is being enforced, and it's directly impacting lead generation. It feels like every week there's a new headline about a massive settlement or a surge in class action lawsuits. This isn't just a minor inconvenience; it's a full-blown compliance crisis that every lead buyer needs to understand.

Understanding the Surge in TCPA Class Actions

The numbers don't lie. TCPA class action filings have seen an alarming increase, with some analyses showing a jump of over 100% year-over-year. This isn't just a few isolated cases; it's a systemic issue. We've seen filings surge by 67% in 2024, and then more than double again in early 2025. This trend indicates that regulatory bodies and plaintiff's attorneys are increasingly focused on TCPA violations. The sheer volume means that the risk of being caught in a lawsuit is higher than ever before.

The Financial Ramifications of Non-Compliance

Let's talk about the money. The penalties for TCPA violations are severe. We're looking at $500 to $1,500 per unauthorized call. Multiply that by the thousands of calls a typical sales team makes, and the numbers become staggering. We've seen major settlements that highlight this financial risk: Dish Network paid $280 million, and Assurance IQ, a company acquired for billions, was effectively shut down after a $21 million TCPA settlement. Even smaller companies can face devastating financial consequences. It's not just about fines; it's about the cost of legal defense, reputational damage, and the potential loss of business operations entirely.

Why Lead Buyers Bear the Ultimate Liability

This is a critical point: the burden of proof for consent rests with the caller. Even if a lead generator provides you with leads, if those leads were obtained without proper consent, you, the buyer, are ultimately liable for any TCPA violations. It's a common misconception that the lead seller is responsible. However, when you dial that number, you're the one making the call, and you're the one who needs to prove you had the necessary permission. This means that simply trusting your lead vendor isn't enough; you need to verify the consent documentation yourself. We've seen firsthand how a lack of verified consent can lead to catastrophic outcomes, even for well-established companies. Relying on upstream verification is no longer a viable strategy; you need to implement your own checks before making any contact. This is why understanding TCPA compliance is so important for every lead buyer in 2026.

Identifying and Mitigating Lead Fraud

We've all heard the stories, and frankly, we've probably experienced them ourselves. The lead generation landscape in 2026 is a complex battlefield, and a significant portion of the "leads" we acquire aren't actually leads at all. They're fakes, bots, or data that's been manipulated. This isn't just a minor annoyance; it's a direct hit to our bottom line and our compliance efforts.

The Evolving Tactics of Bot Farms and Fraudsters

It used to be that bots were pretty easy to spot. They'd fill out forms with gibberish or use obviously fake email addresses. That's not the case anymore. Today's bot farms are sophisticated. They use residential proxies to mask their origin, they scrape real consumer data from data breaches, and they even simulate human-like mouse movements and typing patterns. They're designed to bypass simple checks and look as legitimate as possible. We're seeing "human fraud farms" too, where real people are paid to fill out forms with stolen or fabricated data, making them even harder to detect than automated bots.

Quantifying the Cost of Invalid Leads

Let's talk numbers, because this is where it gets serious. Industry consensus suggests that anywhere from 25% to 30% of online leads are simply invalid. That's not just a few bad apples; that's a quarter to a third of our entire lead flow. This translates into billions lost annually across the market due to fake leads and bot submissions. Think about the wasted ad spend, the cost of the lead itself, and then the time your sales team spends chasing these ghosts. It's estimated that sales reps waste between 30% and 50% of their time on leads that will never convert. At an average cost of $15-$25 per bad lead just for wasted sales labor, the numbers add up incredibly fast.

The problem isn't just about wasted money; it's about the downstream effects. When sales teams are constantly calling disconnected numbers or people who have no idea who you are, morale plummets. Top performers might leave, and the entire operation can start to feel hollow.

The Critical Need for Real-Time Verification

Given the sophistication of current fraud tactics, relying on outdated verification methods just won't cut it. We need to identify and stop invalid leads before they enter our sales pipeline. This means implementing real-time verification at the point of intake. We're talking about analyzing dozens, even hundreds, of data points in milliseconds to assess the legitimacy of a lead. This isn't just about checking if an email address exists; it's about understanding the digital footprint, the behavioral patterns, and the connection quality to determine if a lead is truly a prospect or just another piece of fraudulent noise. The goal is to have a clear, data-driven verdict on every single lead before we invest any further resources into it.

Here's a snapshot of what we're up against:

• Invalid Lead Percentage: 25-30% of online leads are estimated to be invalid.

• Annual Market Loss: Billions are lost annually to fake leads and bot submissions.

• Sales Time Wasted: Sales teams can spend 30-50% of their time on unqualified or invalid leads.

• TCPA Risk per Call: Each unauthorized call can result in fines of $500-$1,500.

TCPA Compliance Lead Generation: Proving Consent

In the world of lead generation, especially when it comes to making calls, proving consent is not just a good idea; it's a legal necessity. The Telephone Consumer Protection Act (TCPA) places the burden of proof squarely on the caller to demonstrate that they had the necessary permission to make those calls. This means if you're buying leads, you need to be absolutely sure that the lead generator you're working with has meticulously documented consent from every single individual they've collected information from. We've seen firsthand how a lack of proper consent documentation can lead to significant financial penalties and even the downfall of businesses. It's not enough for someone to have filled out a form; you need to prove they agreed to be contacted, especially for marketing purposes.

The Burden of Proof Rests with the Caller

It's a common misconception that the lead generator is solely responsible for TCPA compliance. However, the reality is that when you make the call, you inherit the liability. This is why verifying the consent documentation provided by your lead sources is so critical. We've encountered situations where lead generators claimed to have consent, but when scrutinized, their documentation was either non-existent or insufficient. Remember, the law doesn't care if the lead vendor promised compliance; it cares if you can prove it. This is why we always emphasize that the ultimate responsibility falls on the entity making the call. A recent court ruling, for instance, highlighted that while written consent isn't always mandated, the ability to prove consent is paramount Understanding the TCPA's consent requirements.

Essential Elements of Valid Consent Documentation

What exactly constitutes valid consent documentation? It's more than just a checkbox on a form. We look for several key pieces of information that, when combined, create a robust audit trail:

• Timestamped Records: When was consent given? This needs to be recorded accurately.

• IP Address: Where was the consent given from?

• Device Fingerprint: What device was used? This helps distinguish between human and bot activity.

• Specific Consent Language: What exactly did the consumer agree to? This includes the type of communication they agreed to receive (calls, texts, emails) and the purpose (e.g., marketing).

• Source of the Lead: Which website or campaign generated the lead and obtained consent?

Without these elements, consent can be easily challenged. We've seen cases where leads were obtained through methods that didn't clearly articulate what the consumer was agreeing to, leading to costly disputes.

Leveraging Technology for Automated Consent Tracking

Manually tracking consent for every lead is a monumental, if not impossible, task. This is where technology plays a vital role. Modern verification platforms can automatically capture and store consent records at the point of intake. This includes not just the checkbox but also the associated metadata like timestamps, IP addresses, and device information. This automated process provides an irrefutable record, safeguarding against claims of non-compliance. For example, systems can integrate directly with your forms, capturing consent language and user details simultaneously. This ensures that as soon as a lead is generated, their consent is documented and auditable, significantly reducing the risk associated with TCPA violations. We believe that adopting these technological solutions is no longer optional but a core component of any compliant lead generation strategy.

Beyond Basic Verification: A Multi-Layered Approach

We've all been there. You get a lead, it looks good on the surface, and you dive in. But then you hit a wall – disconnected numbers, people who swear they never signed up, or worse, silence. Basic verification, like just checking if an email address exists, isn't enough anymore. The game has changed, and so has the sophistication of those trying to game the system.

Analyzing 101 Data Points for Comprehensive Insights

Think of it like this: a simple email checker tells you if a mailbox is real. That's like checking if a house has a door. But does anyone live there? Are they expecting you? That's where a deeper dive comes in. We look at 101 different data points for every single lead. This isn't just about one or two checks; it's about building a complete picture. We examine things like:

• Device Fingerprinting: What kind of device is being used? Is it a standard mobile phone, a desktop, or something more unusual that might indicate automation?

• Behavioral Patterns: How was the form filled out? Was it typed at a human pace, or did it appear instantly? We analyze mouse movements, typing speed, and even how someone scrolls.

• Network Analysis: Where is the lead coming from? Are they using a VPN or a proxy that might hide their true location?

This multi-layered approach allows us to see patterns that a single point of verification would miss entirely. It's about understanding the context of the submission, not just the data itself.

Behavioral Biometrics: Detecting Human vs. Bot Activity

Bots are getting smarter. They can mimic human typing, use real IP addresses, and even bypass simple CAPTCHAs. This is why behavioral biometrics is so important. It's not just about what information is submitted, but how it's submitted. We analyze the subtle, often unconscious, ways humans interact with a form – the rhythm of their typing, the way they move their mouse, the pauses they take.

Bots often exhibit unnatural patterns, like filling out forms in milliseconds or using perfectly consistent keystroke timings. Behavioral biometrics helps us distinguish these automated actions from genuine human interaction, even when the submitted data looks legitimate on the surface.

This technology acts like a digital fingerprint for human behavior, making it incredibly difficult for bots to fake.

The Limitations of Traditional Verification Methods

We've relied on methods like CAPTCHAs, basic email validation, and even simple phone number checks for years. While they served a purpose, they're no longer sufficient. CAPTCHAs annoy real users and are often bypassed by advanced bots. Email validation only confirms a mailbox exists, not who owns it or if they actually submitted a form. Phone validation might confirm a number is active, but it doesn't tell you if the person answering is the one who filled out your lead form.

• CAPTCHAs: Block legitimate users as often as they block bots.

• Email Validation: Only confirms the existence of an email address.

• Phone Validation: Confirms a number is active, not consent.

These methods are like checking if a car has wheels. They're a start, but they don't tell you if the car is stolen, if it's being driven by a licensed driver, or if it's even in the right city. We need a more robust system to truly understand lead quality and compliance.

Integrating Verification into Your Lead Generation Workflow

We know that integrating new tools can seem like a chore, but when it comes to TCPA compliance and lead quality, it's a necessary step. The good news is that modern verification solutions are designed to fit right into your existing processes without causing a fuss. We're talking about making verification a background task that happens so fast, your sales team won't even notice a difference.

Point-of-Intake Verification for Immediate Risk Assessment

Think about it: the moment a lead hits your system is the moment you should know if it's worth pursuing. This is where point-of-intake verification shines. Instead of waiting for your sales team to call a lead and discover it's a dud, verification happens right when the form is submitted. This means you get an instant risk assessment. We can identify and flag or even block leads that show signs of fraud or non-compliance before they ever reach your sales reps. This stops bad leads in their tracks, saving time and preventing potential TCPA violations. It's like having a bouncer at the door for your lead pipeline.

Seamless Integration with Your Existing CRM and Tools

We understand you've already got a system that works for you, whether it's a CRM like HubSpot or Salesforce, or a dialer. The last thing we want is to add another complicated piece to manage. That's why verification tools are built to connect easily. Using simple integrations like webhooks or APIs, verified lead data, along with its compliance score, can be automatically sent to your existing platforms. This means your team gets the information they need without any manual data entry or switching between different software. It keeps your workflow smooth and your data consistent.

The Speed of Verification: Under 150 Milliseconds

Speed is everything in lead generation. A lead that's hot today can be cold tomorrow. We can't afford to have verification slow us down. The best verification systems work incredibly fast, often completing their analysis in under 150 milliseconds. This is faster than you can blink. It means that by the time a lead is routed to a sales rep or added to a follow-up sequence, its validity and compliance status are already known. This speed ensures that you can act on good leads immediately while discarding bad ones without delay. It's a critical factor in maintaining a competitive edge and maximizing conversion rates.

The True Cost of Unverified Leads

We often focus on the upfront cost of acquiring leads, but the real expense comes from the ones we can't actually use. Unverified leads aren't just a minor inconvenience; they represent a significant drain on resources and can actively harm our business operations.

Wasted Sales Hours and Diminished Productivity

Think about the time your sales team spends on leads that go nowhere. If a sales representative spends just 10 minutes on a single bad lead, and they handle a few dozen of these each month, that quickly adds up. We're talking about hundreds of hours lost collectively, every single month. This isn't just about payroll; it's about lost opportunities because your best people are stuck chasing disconnected numbers or people who have no idea why they're being called.

• Sales reps can waste 30-50% of their time on leads that will never convert.

• Each "bad" lead can cost between $15-$25 in wasted sales labor alone.

• This directly impacts productivity, reducing the number of actual sales conversations that can take place.

The cycle of calling unverified leads, facing rejection, and repeating the process erodes team morale. When sales reps consistently hit dead ends, their belief in the lead quality diminishes, leading to burnout and increased turnover. This creates a hollowed-out operation where lead generation invoices continue to arrive, but the actual sales engine sputters.

Brand Reputation Damage from Spammy Perceptions

When we call someone who never requested contact, or worse, someone whose data was obtained without proper consent, we risk more than just a lost sale. We risk our brand's reputation. In today's connected world, a single negative interaction can quickly spread. Being perceived as a spammer or a company that disregards privacy can undo months of brand-building efforts. This is especially true when dealing with TCPA violations, where each unauthorized call can carry a penalty of $500 to $1,500.

Lost Opportunities to Competitors

Every moment a sales representative spends on a fake or unqualified lead is a moment they are not spending on a genuine, high-intent buyer. Real prospects often don't wait around. While your team is busy trying to verify a lead's identity or dealing with a bot submission, a competitor might be making the winning call. This means not only losing the current deal but also potentially losing that customer for future business. The speed at which leads go cold means that unverified leads don't just waste time; they actively hand over valuable opportunities to those who are more efficient and compliant.

Choosing the Right Verification Partner

When we're looking for a partner to help us verify leads, it's not just about finding someone who can check a box. We need a system that truly understands the nuances of lead generation and the risks involved. It's about finding a partner that acts like an extension of our own team, one that's as invested in our success as we are.

Evaluating Verification Depth and Signal Quality

We can't afford to just skim the surface. A good verification partner looks at a lot of different signals – not just one or two. We're talking about analyzing over 100 data points for each lead. This includes things like how someone types, how they move their mouse, and even the device they're using. This level of detail helps us spot sophisticated fraud that simpler checks miss. For instance, email checkers might tell you if a mailbox exists, but they won't tell you if the person who filled out your form is actually the one who owns it. We need that deeper insight. The goal is to get a single, reliable trust verdict for every lead.

Understanding the Role of Data Processors vs. Controllers

This is a big one for compliance. When we use a service to verify leads, we need to be clear about who is responsible for what. We, as the customer, are typically the Data Controller. This means we decide what data is collected and why. The verification service, like Argus, acts as the Data Processor. They handle the data according to our instructions and privacy policies. It's important that they understand this distinction and have clear policies in place, like their commitment to not selling lead data. This helps us maintain control and compliance over the information we handle.

Prioritizing Privacy and Security in Data Handling

Our leads' privacy is just as important as our own. We look for partners who are serious about data security. This means using encryption for data both in transit and at rest. It also means they don't use tracking cookies for advertising or sell our leads' information. We've seen how bad data handling can lead to serious problems, and we want to avoid that. A partner that uses techniques like device fingerprinting solely for fraud prevention, and not for marketing, is a partner we can trust. We need to know that our data, and the data of the people who become our leads, is protected.

Industry-Specific Fraud Patterns and Solutions

We've all seen it: the lead that looks good on paper but turns out to be a complete dud. It's frustrating, but it's also a sign that fraud isn't a one-size-fits-all problem. Different industries face unique challenges when it comes to lead generation, and the tactics fraudsters use often reflect that. Understanding these specific patterns is key to protecting our businesses.

Addressing Unique Challenges in Financial Services and Insurance

In sectors like financial services and insurance, the stakes are high, and so is the potential for fraud. We've seen quote stuffing with fake identities, where fraudsters submit numerous applications to see what sticks, often using stolen or synthetic data. Leads get recycled, meaning the same information is sold multiple times to different carriers, wasting everyone's time and resources. For instance, a company like Assurance IQ, which was acquired for billions, faced a significant TCPA settlement that contributed to its downfall, partly due to issues stemming from unverified lead data. This highlights how critical it is to verify every single lead, especially when dealing with sensitive financial information.

Here's a look at some common fraud patterns we encounter:

• Quote Stuffing: Using fake or stolen identities to submit multiple applications. This is particularly prevalent in insurance where quotes are often free.

• Lead Recycling: The same lead data being sold to multiple competitors, diminishing its value and creating a poor experience for the end consumer.

• Synthetic Identities: Fraudsters combine real and fabricated information to create entirely new, fake identities that can be hard to detect.

Mitigating Fraud in High-Value Verticals like Legal and Home Services

High-value verticals, such as legal services (especially mass tort and personal injury) and home services (like HVAC or roofing), are prime targets for sophisticated fraud operations. The cost per lead in these areas can be substantial – think hundreds or even thousands of dollars for a single qualified lead in mass tort cases. This high payout attracts fraudsters who employ advanced tactics.

We often see:

• Fake Claimants: In legal services, individuals might pose as victims seeking settlements, submitting fabricated injury details.

• Spoofed Addresses/Locations: Home service leads might use fake zip codes or addresses to appear within a service area when they are not, leading to wasted technician dispatches.

• Bot Farms Targeting High-Value Campaigns: Automated systems are specifically designed to flood forms for lucrative services, aiming to generate revenue through sheer volume or by selling the fake data.

The cost of a single bad lead in these verticals can be astronomical. It's not just the lead cost; it's the wasted time of highly paid professionals, like licensed agents or dispatched technicians, that truly impacts the bottom line. We need systems that can detect these high-value targets before they drain our resources.

Adapting Verification Strategies to Evolving Threats

The landscape of lead fraud is constantly shifting. What worked yesterday might not work today. We've moved beyond simple checks like email validation or basic CAPTCHAs. Modern fraudsters use residential proxies, mimic human behavior with sophisticated scripts, and exploit data breaches to obtain real consumer information. This means our verification methods must also evolve. We need a multi-layered approach that analyzes more than just a few data points. For example, behavioral biometrics, which analyze how a user interacts with a form – their typing speed, mouse movements, and time spent on fields – can reveal patterns that bots cannot replicate. This kind of in-depth analysis, looking at over 101 data points, helps us identify even the most advanced fraud attempts. By integrating real-time verification into our lead generation workflow, we can assess risk instantly and make informed decisions about which leads to pursue. This proactive stance is essential for maintaining compliance and profitability in 2026 and beyond. You can explore advanced verification systems like Argus's 101-point system to understand the depth of analysis now available.

The Future of TCPA Compliance Lead Generation

As we look ahead, the landscape of TCPA compliance in lead generation is set to become even more intricate. Regulatory bodies are sharpening their focus, and the methods used by fraudsters are constantly evolving. Staying ahead means anticipating these shifts and building a robust strategy that prioritizes genuine consent and verifiable data.

Anticipating Regulatory Shifts and Enforcement Trends

The trend lines are clear: TCPA enforcement isn't slowing down. We've seen a significant increase in class action lawsuits, with filings more than doubling year-over-year in early 2025. This surge indicates a heightened level of scrutiny from both regulators and private legal firms eager to capitalize on non-compliance. We anticipate that future regulations will likely demand even more granular proof of consent, potentially requiring explicit, documented opt-ins for every communication channel. The days of implied consent are rapidly fading, and the burden of proof will continue to rest squarely on the caller. This means our documentation practices need to be not just good, but ironclad, ready to withstand legal challenges.

The Role of AI and Machine Learning in Fraud Detection

To combat the increasingly sophisticated tactics of bot farms and fraudsters, artificial intelligence and machine learning are becoming indispensable tools. Traditional verification methods, which often check only a few data points, are no longer sufficient. The future lies in multi-layered analysis that examines hundreds of data points in real-time. AI can process this vast amount of information, identifying subtle patterns that indicate fraudulent activity – patterns that would be invisible to human analysis. This includes analyzing behavioral biometrics, like typing rhythm and mouse movements, to distinguish between a real person and a bot. By analyzing 101 data points in under 150 milliseconds, we can achieve a level of fraud detection that was previously unimaginable. This technology allows us to move beyond simple checks and truly understand the legitimacy of a lead before it enters our pipeline.

Building a Sustainable and Compliant Lead Generation Strategy

Ultimately, the future of TCPA compliance in lead generation hinges on building a sustainable strategy that integrates verification at every step. This means moving away from siloed tools and adopting a unified approach. We need to embed verification directly into our intake process, ensuring that every lead is assessed for validity and consent compliance before it's passed to sales. This proactive stance not only mitigates risk but also improves the quality of our leads, leading to better conversion rates and a stronger return on investment. It's about creating a system where compliance isn't an afterthought, but a core component of our lead generation engine. This approach protects us from costly fines and settlements, like the $21 million TCPA settlement that contributed to the shutdown of Assurance IQ, and ensures our brand reputation remains intact. By embracing advanced verification technologies and adapting to the evolving regulatory environment, we can build a lead generation process that is both effective and compliant for the long term.

Staying on top of TCPA rules for getting new customers can be tricky. But don't worry, we've got your back! Our methods help you find leads the right way, so you can grow your business without any headaches. Want to learn more about how we make lead generation simple and safe? Visit our website today to see how we can help you succeed!

Moving Forward with Confidence

The landscape of lead generation in 2026 is complex, but not insurmountable. We've seen how the costs of invalid leads and TCPA violations can cripple even well-established businesses, with class action settlements reaching millions and companies folding entirely due to unverified data. The data is clear: relying on outdated methods or trusting vendors without verification is a gamble we can no longer afford. By implementing robust, real-time verification processes, like those analyzing 101 data points in milliseconds, we can significantly reduce wasted spend, protect ourselves from costly legal penalties, and ensure our sales teams are focused on genuine opportunities. It's time to shift from volume to verified quality, building a more trustworthy and profitable lead generation future.

Frequently Asked Questions

Why is TCPA compliance so important for lead buyers in 2026?

TCPA rules are getting stricter, and more lawsuits are happening. If we, as lead buyers, don't make sure the leads we get are compliant, we could face huge fines. These fines can be up to $1,500 for every single unwanted call or text. It's our job to make sure the leads we buy have proper permission.

How can we tell if leads are fake or fraudulent?

Bad guys use tricky ways like bots to create fake leads or steal information. It's estimated that about 25-30% of online leads are not real. These fake leads waste our sales team's time and can even lead to legal trouble if they're used improperly.

What does 'proving consent' mean for us?

It means we need clear proof that the person actually agreed to be contacted. This proof needs to be documented, showing exactly when and how they gave permission. We can't just assume someone is okay with being called; we need solid evidence, like a timestamped record of their agreement.

How can technology help us track consent?

We can use special tools that automatically record consent details when someone fills out a form. These systems capture things like the time, IP address, and the exact words they agreed to. This makes it much easier to prove consent if it's ever questioned.

What's the difference between basic verification and a multi-layered approach?

Basic checks might just look at one or two things, like an email address. A multi-layered approach looks at many different signals – over 100 in some cases! This includes checking how someone types, how they move their mouse, and other digital clues to see if they're a real person or a bot.

How quickly can leads be verified?

Speed is key! Good verification systems can check a lead in less than 150 milliseconds. This means we can find out if a lead is good or bad almost instantly, right when it comes in, without slowing down our sales process.

What happens if we buy leads that aren't verified?

If we buy unverified leads, our sales team might waste a lot of time calling people who aren't interested or who never agreed to be contacted. This hurts our productivity, damages our brand's reputation, and can lead to costly TCPA fines. We also miss out on real opportunities because our team is busy with bad leads.

How do we choose the right company to help us verify leads?

We should look for a partner that offers deep verification, checking many different data points. It's also important that they handle data securely and respect privacy. We need to understand if they are just processing data for us or if they are making decisions about it, and ensure they follow all privacy rules.