ON THE RECORD
John Henson discusses compliance, growth, and building smarter consent strategies
John Henson
Founder | Henson Legal
Steve Rafferty
CEO & Founder | ActiveProspect
John Henson is a compliance attorney and regulatory strategist who advises companies navigating TCPA, FTC, and evolving state telemarketing laws. He is the founder of Henson Legal, PLLC and previously served as General Counsel at ConsumerAffairs and Interim General Counsel and VP of Compliance at LendingTree, where he also held leadership roles on the business side including Assistant General Manager of the Mortgage vertical. Having led both growth teams and legal departments, John focuses on helping organizations design compliant marketing programs that still move the business forward.
SR:
John, you’ve been both the growth executive responsible for a P&L and the General Counsel responsible for managing risk. How did sitting in both seats change the way you think about compliance as a growth lever rather than a brake?
JH:
I worked with a lady once who always led with "no." When you're running on the business side and trying to grow, every time you run into a "no", it feels like someone pulling the emergency brake. I realized that some of the disconnect is purely a result of both sides not understanding what the other side is trying to accomplish. The business wants to grow revenue and the customer base. The legal side wants to mitigate as much risk as possible. But, the issue I kept seeing was that both sides assumed they knew EXACTLY where the other side was coming from and those assumptions were preventing a real dialogue and conversation about how to accomplish the goals.
I try to understand the business’s needs and work backwards from that starting point to find the most compliant version of what the business wants, instead of starting at the most compliant version possible. Those are two different endpoints. But starting from the business's perspective is the key to a great collaborative environment.
SR:
You’ve led compliance at companies like LendingTree and ConsumerAffairs and now advise founders on TCPA, FTC, and other risks. What’s one “rookie mistake” you still see big and small companies making?
JH:
Copying other companies' consent language, Terms of Use, or Privacy Policy. I've seen big companies do it when rolling out a new form and I see small companies do it all the time. Unless your business is EXACTLY the same as the other company (which it's NOT), your documentation needs to be tailored for the business you have.
This becomes more important with consent language. The consent language is the key that unlocks your business opportunities. Does the consent language match what you want to do? Does it match HOW you want to do it? Blindly assuming someone else's language covers your use cases is a really bad idea.
SR:
Everyone talks about tech solving compliance. What’s the most common structural mistake you see lead generators make that quietly creates long-term compliance exposure?
JH:
It's not purely a tech issue, but the biggest mistake is being willfully ignorant of lead sources.
Where are the leads coming from? How did the consumer end up there? What consent language did they see and agree to? These are basic questions that rarely get asked, but they end up costing lead generators millions of dollars a year in legal fees and settlements.
From a tech perspective, it's systems not talking to each other. The AI Voice platform doesn't report back DNC claims. The CRM doesn't update correctly and too many texts are sent. There is no way to track duplicates. These seem like small issues, but they will become very large at scale.
SR:
Between AI voice calling, state privacy laws, and evolving enforcement trends, it’s a shifting field. Where are teams overthinking compliance, and where are they leaving gaping holes?
JH:
I'm not sure I have seen anybody OVERTHINKING compliance (laughs).
The gaping hole right now is prior express written consent architecture for AI voice specifically. The 2024 FCC ruling created a distinct consent requirement that most platforms and clients haven't operationalized. They're running five-year-old consent language and assuming it covers new technology. It doesn't. That's the gap that generates the next enforcement wave.
And don't sleep on state laws. States like Texas, Oklahoma, and Florida are really ramping up the regulatory environment for telemarketing. Teams treat federal compliance like the ceiling when it's increasingly just the floor.
SR:
Last question, you’re a big college football fan and understand the importance of establishing the run, but also taking shots downfield to keep a defense honest. What’s your rule of thumb for a company searching for the perfect balance between the human touch on compliance processes and when to automate with technology?
JH:
I love this analogy. And I can make college football analogies all day. But, I think this one is a little backwards. Everyone wants to throw the ball and score a ton of points. It's fun. It's trendy. It's sexy. It's great. And in this business, that is automation and scaling. The scaling question is where I see the most strategic confusion. Teams hit a growth inflection point and want to automate everything. But the problems I see are the companies that automate everything without any human checkpoints.
Automation should handle the repetitive and measurable: scrubbing lists, flagging consent records outside defined parameters, and triggering vendor audits on a schedule. Where you need a human in the loop is anywhere that automation affects an actual decision – a new publisher getting approved, a consent disclosure getting changed, a flagged record getting cleared. Those aren't rubber stamps.
So, you have to "get back to the basics and run the damn ball.” People get lulled into sleep because the automations are running, but who is monitoring the monitors? Someone with judgment needs to sign off, because if it goes wrong, you need to show a regulator that a person made that call. This oversight is "keeping the defense honest."
Another compliance mistake I see most is automation that generates reports nobody reads. Beautiful dashboards, a great compliance tech stack – and then a flag fires Friday afternoon and sits until Monday. Automation without a defined human response protocol isn't a compliance program. It's like an Air Raid offense – sure, they get a lot of passing yards, but if they can't stop the other team, what does it matter?