Is My Lead Provider Sending Me Leads Legally? A Lender's Due-Diligence Checklist

On a purchased lead, the compliance risk lands on you, not your vendor. How to vet any Canadian lead provider on consent, channel, privacy, and licensing.

Cris Ravazzano

It is the right question to ask. It is also framed the wrong way, because it points the risk at your vendor. Under Canadian law, the risk points back at you.

When you buy or receive a lead, you are not just buying contact information. You are inheriting every decision the affiliate made to collect it: how consent was captured, what the consumer was actually told, which channels they agreed to, and whether anyone can prove any of it later. If that chain is broken, a regulator does not stop at the affiliate who sold the data. It looks at the business that contacted the consumer and profited from it. That is you.

Here is how to vet a provider before the leads start flowing, and what a clean one should be able to hand you on request.

Why a provider's failure becomes your problem

Three separate regimes can put a lender on the hook for a lead it merely purchased.

CASL. Canada's anti-spam law does not only target the party that clicks send. Liability extends to those who cause or permit a non-compliant commercial electronic message, and directors and officers can carry personal exposure. The maximum administrative penalty is up to 10 million dollars per violation for a business. A purchased list with no verifiable express consent behind it is the most common way lenders walk into that exposure. If you want the consent mechanics in plain terms, see getting CASL consent right.

PIPEDA and Quebec's Law 25. The moment you receive personal information and act on it, you are an accountable party in your own right. You cannot outsource that accountability to the affiliate who handed you the record. Law 25 carries steep exposure for mishandled personal information and adds explicit consent, cross-border transfer, and automated-decision disclosure obligations that most lead vendors never mention.

Lending law itself. Since January 1, 2025, the federal criminal interest rate cap sits at 35 percent APR for most consumer credit, and provinces layer their own licensing on top. A lead is not clean if it routes a consumer to a lender that is not licensed to serve them where they live. Quebec is the sharpest version of this problem, where high-cost credit lenders must hold an OPC licence. The full picture is in our Quebec market and OPC licensing explainer.

None of these care whose name is on the invoice. They care who contacted the consumer.

The due-diligence checklist

Run a provider through these seven points before you sign. If they cannot answer cleanly, that is your answer.

1. Consent provenance

Ask them to produce the actual consent record for a sample of leads: timestamp, IP address, the form URL, and the exact wording the consumer agreed to. Express consent that cannot be produced on demand is not express consent you can rely on. If the answer is some version of "it came from our network," treat the lead as unconsented until proven otherwise.

2. Consent scope and the chain

Consent is not generic. The consumer agreed to be contacted by someone, for something. Did they agree to be contacted by you, or by your category of lender, or by an unnamed list of "partners"? Vague third-party language does not stretch to cover whoever buys the lead last. Read the disclosure the consumer actually saw, not the summary the vendor gives you.

3. Channel match

The rules change with the channel, and vendors blur this constantly. Email and SMS fall under CASL. Outbound phone calls fall under the CRTC's Unsolicited Telecommunications Rules and the National Do Not Call List, a different regime with its own consent and scrubbing requirements. A lead consented for email is not automatically a lead you can dial. Confirm the consent covers the channel you intend to use.

4. Privacy and data handling

Under PIPEDA and Law 25, ask how the data was collected, where it is stored, whether it crossed a border, and whether a privacy impact assessment exists for that transfer. Confirm the consumer can be told their data was shared and can request deletion. If the provider cannot describe its own data-handling chain, you are buying a liability you cannot see.

5. Licensing match by province

Confirm the provider routes leads only to lenders licensed to operate where the consumer resides, and that the offer respects the 35 percent APR cap for consumer credit. For Quebec specifically, confirm any high-cost product is matched to an OPC-licensed lender and that French-language obligations are met. A provider that ships every lead to every buyer regardless of province is selling you exposure, not leads.

6. Records and retention

CASL requires consent records to be retained, and you will want them for at least three years to mount a due-diligence defence if a complaint lands. Confirm the provider keeps these records and will surrender them to you on request, in a usable format, not a screenshot.

7. Your contract

Get the protection in writing. Your agreement should include a consent-proof obligation, audit rights, a data processing agreement, and indemnification for consent and privacy failures originating with the provider. Indemnification will not save you from a regulator, but it sorts out who pays, and a provider that refuses it is telling you how confident they are in their own sourcing.

Quick red flags

Most of these overlap with the warning signs of a weak program in general, covered in what to look for in a Canadian loan affiliate program. On the compliance side specifically, walk away if a provider:

  • Cannot produce a consent record on demand for a specific lead.
  • Describes consent as "the network handles that."
  • Sells the same lead into every vertical and province without segmentation.
  • Uses one consent to justify email, SMS, and phone outreach.
  • Has no written position on Law 25 or cross-border data transfer.
  • Refuses audit rights or indemnification.

What a compliant lead source looks like

A provider you can trust treats consent as a record it can produce, not a claim it makes. It matches leads to lenders by licence and province. It can tell you which channel each lead is cleared for, and it keeps the paper to prove it. That same discipline is what makes a lead worth more, because verified, properly consented, correctly routed applicants convert and fund at a higher rate. It is also what lets you safely build downstream value from traffic you already paid for, such as compliant decline monetization, and why verification at the source, like using IBV to lift weekend conversions, raises lead quality instead of just lead volume.

The bottom line

Stop asking whether your provider is compliant and start asking whether you can prove it. In an audit, "my vendor handled that" is not a defence. The records are. The cheapest lead in your campaign might be the most expensive one in an audit, and the only thing standing between you and that bill is the diligence you did before you bought it.

This article is general information for Canadian lenders and lead buyers. It is not legal advice. Confirm your specific obligations under CASL, PIPEDA, Law 25, and applicable provincial lending and licensing rules with qualified counsel.

Cris Ravazzano

Cris Ravazzano

Head of Marketing & Technology at Loans Canada and CreditMarketing.ca