Last updated 2026-07-09

TL;DR
Double opt-in SMS consent requires a subscriber to confirm their sign-up by replying to an initial text before you add them to your list. That confirmation creates a timestamped, subscriber-generated record proving they asked for your messages. Under TCPA's $500-to-$1,500-per-text liability, that record is often the only thing standing between you and a class action.
What is double opt-in SMS consent?
Double opt-in is a two-step process. A person gives you their phone number and asks for texts (step one), then gets an initial message asking them to confirm that request, usually by replying YES or a similar keyword (step two). Only after that reply do you add them to your active list.
Single opt-in stops at step one. The subscriber typed in a number, maybe checked a box, and that's it. Double opt-in adds a second action that comes from the subscriber's own phone. That's the part that matters legally.
The confirmation reply is the gold. It proves the person holding that phone actively wanted your messages, and it creates a record you didn't generate yourself. A plaintiff's lawyer can argue that your internal opt-in log was faked or misattributed. They cannot easily argue that a carrier-timestamped inbound reply from the subscriber's own number was faked.
What does the TCPA actually say about SMS consent?
The Telephone Consumer Protection Act, 47 U.S.C. § 227, prohibits using an automatic telephone dialing system or an artificial or prerecorded voice to send a message to any cellular phone without the called party's "prior express consent." [1] For marketing messages, the FCC raised that standard to "prior express written consent" through its 2012 rules, which took effect October 16, 2013. [2]
The statute never says "double opt-in." The FCC doesn't mandate it by name either. What the FCC requires is written consent that includes a clear and conspicuous disclosure that the person is authorizing marketing texts, an agreement that is not a condition of purchase, and the person's signature, which can be an electronic signature or a text-based confirmation. [2]
Here is the actual language from 47 C.F.R. § 64.1200(f)(9) defining prior express written consent. It must include "a written agreement, including agreement obtained via an electronic or digital form of signature, between the person called and the seller that clearly and conspicuously discloses" that marketing calls or texts may be placed. [3]
Double opt-in satisfies all of that. It also creates a record you can put in front of a judge. That's the practical reason teams use it even though nothing technically requires it.
What is the real financial risk if your consent records are weak?
TCPA damages are $500 per violation for negligent violations and $1,500 per violation for willful ones. [1] Each text is a separate violation. Send a marketing blast to 10,000 people without adequate consent documentation and you're looking at theoretical exposure of $5 million to $15 million. Courts do certify these as class actions. Settlements run into the tens of millions.
The Cash App TCPA class action settlement resolved for $3.9 million. The Credit One TCPA settlement reached $12.5 million. Both cases turned largely on whether the defendants could produce clean consent records.
Nobody has a perfect dataset on what share of TCPA suits settle versus go to judgment. The litigation math, though, is clear: plaintiff's attorneys file on contingency, the per-message damages are steep, and class certification is achievable. Consumers file tens of thousands of unwanted-call and text complaints with the FCC every year. [4] The fastest way to make a plaintiff's lawyer move on is to hand them a timestamped double opt-in confirmation and say "show me your damages."
A single unconfirmed opt-in from a reassigned number or a mistyped digit can turn into a named plaintiff. Double opt-in blocks that specific attack, because the confirmation had to come from the actual device.
How does double opt-in actually work in practice?
The flow looks like this in most SMS platforms:
1. Person fills out a web form, texts a keyword to your shortcode, or checks a box at checkout. You collect name, number, and consent disclosure. 2. Your platform immediately sends one confirmation text: something like "Reply YES to confirm you want [Brand] texts. Msg & data rates may apply. Reply STOP to cancel." 3. The subscriber replies YES from their own phone. 4. Your platform logs the inbound reply with a timestamp and the subscriber's number, then adds them to your active list. 5. You keep that log indefinitely. If you ever face a TCPA claim, you pull the record for that number.
The details that matter: the confirmation text itself can't be a marketing message. It's a confirmation request, nothing else. Keep it plain. Some teams slip a promotional offer into the confirmation message, which raises a separate question about whether they were supposed to have consent before sending that text.
Retention gets skipped constantly. Good consent records you delete after two years are useless. The statute of limitations for a TCPA claim is four years under 28 U.S.C. § 1658. [5] Keep every opt-in record for at least four years from the date of the last message you sent to that subscriber.
For outbound campaigns using text message marketing, the confirmation record is the foundation of your whole compliance posture.
How does double opt-in create a better litigation defense than single opt-in?
Single opt-in puts the burden of proof on you. You have to show a record that says "this person entered their number on this form at this time." A plaintiff can say the record is wrong, the number was reassigned, or someone else typed in their number as a prank. These are real attack vectors in TCPA litigation.
Double opt-in changes the evidentiary picture. The confirmation reply is an inbound message from the subscriber's carrier. Carriers timestamp it. It lives in your platform logs and possibly in the subscriber's own text history. To claim you texted without consent, the plaintiff has to explain why they replied YES from their own phone.
TCPA defense work has a term called "established business relationship" (EBR), but it's mostly irrelevant for SMS marketing after the FCC's 2012 rules tightened the written consent requirement. [2] Don't lean on EBR for text marketing.
The stronger framework is this: produce the consent record, show it came before the first marketing text, show the confirmation came from the subscriber's device, and show every later text carried a working opt-out. Double opt-in handles the first three automatically if your platform logs correctly.
One more piece. The FCC's one-to-one consent rule, adopted in December 2023, requires that prior express written consent name the specific seller. [6] A form that says "our partners" no longer works for third-party lead generators. Double opt-in won't fix a bad consent form, but it does create a clear record of when and how consent was obtained for whatever specific seller the form names.
What does the FCC's 2024 one-to-one consent rule change about opt-in?
The FCC adopted a Report and Order in December 2023 (FCC 23-107) that reworked how lead generation consent operates. [6] The rule was scheduled to take effect January 27, 2025.
Under the old reading, a single web form could produce consent for an entire network of lead buyers. One check of a box could authorize fifty companies to text you. The new rule says the consumer must give consent to one seller at a time, the consent must be logically and topically related to the website where it's collected, and each consenting seller must be named.
For double opt-in, that means your confirmation flow has to confirm consent for your specific brand. A generic "confirm your subscription" reply doesn't hold up if your consent form tried to bundle multiple brands. The FCC's order in FCC 23-107 frames consent as running to a single identified seller rather than a broad category of companies.
Practically: if you buy leads from a third party, you can't rely on their opt-in record for your TCPA defense unless it named you specifically and the subscriber confirmed consent to you specifically. Double opt-in from your own platform is the cleanest way to document that. Purchased lead lists without confirmed opt-in for your brand are riskier now than they were before.
Does double opt-in reduce list size, and is that a real problem?
Yes. Honestly, yes. Confirmation rates for double opt-in typically run between 60% and 85% depending on your industry, your confirmation message, and how fast you send it. Some teams see rates as low as 50% for cold keyword campaigns. Your list gets smaller.
Here's why that's usually fine. The subscribers who confirm actually want to hear from you. They remembered signing up. They took the trouble to reply. Unconfirmed contacts often include wrong numbers, numbers typed fast at checkout, and numbers entered by someone else. Those contacts generate complaints, STOP requests, and the occasional TCPA plaintiff.
Engagement rates on double opt-in lists tend to run higher than on single opt-in lists, though nobody has clean industry-wide SMS data on this. The closest published work comes from email marketing, where confirmed opt-in has been standard longer, and it consistently shows confirmed subscribers open more and complain less. The principle carries over to SMS.
One practical note. If you're running a legitimate cold calling operation and also running an inbound SMS sign-up, don't mix those databases. The consent documentation requirements are different. Cold call leads need separate handling.
What records do you need to keep to use double opt-in as a defense?
Your double opt-in records need to answer six questions if a plaintiff's lawyer ever asks:
1. What phone number consented? 2. What disclosure did they see before opting in? 3. When did they complete step one (initial sign-up)? 4. When did they reply to the confirmation text? 5. What exact text did your platform send as the confirmation request? 6. What was their exact reply?
You need all six. A log that says "YES received at 2024-03-15 14:32:07 from +15555550101" is worth very little if you can't produce the confirmation message your platform sent or the original consent disclosure they saw.
Store these records in a format that can't be easily edited. Database exports with a hash, platform-native archived logs, or third-party compliance storage all work. Spreadsheets someone maintains by hand are a problem.
The four-year window under 28 U.S.C. § 1658 is the minimum retention period. [5] If you're in California, the CCPA carries its own data retention considerations, and California has state-level telemarketing penalties that run parallel to TCPA. [7] Longer retention (five to seven years) is reasonable for high-volume programs.
LeadCompliant's free compliance kit includes a consent log template you can adapt to your platform's export format, if you want a starting structure.
Keep your opt-out records with the same rigor. If someone texts STOP, you log it, honor it immediately, and never send that number another marketing message. Sending a marketing text after a STOP request is one of the fastest ways to a "willful" finding, which means $1,500 per message instead of $500. [1]
Are there industries or use cases where double opt-in is especially important?
Financial services, insurance, debt collection, and home services lead generation carry the highest TCPA exposure. They attract professional plaintiffs and class action attorneys who know the statute cold.
If you're in any of these verticals, double opt-in is not optional in any practical sense. The TCPA litigation landscape for financial products is brutal. Consent documentation is the first thing defense counsel asks for.
Health-related texts add HIPAA considerations if the messages touch treatment or coverage. Double opt-in doesn't resolve HIPAA, but it does cover the TCPA side.
Political texting sits partly outside TCPA's prior express written consent requirement for autodialed calls, but the exemption is narrow and contested. Get counsel on that one. Don't assume an exemption applies without checking.
E-commerce brands sending transactional texts (order confirmations, shipping updates) have more room, because those aren't marketing messages under the statute. The moment you add a promotional element, you're in marketing territory and consent rules tighten. Double opt-in your marketing list separately from your transactional list.
If you're worried about your numbers landing on the mobile phone do not call list, or you're unsure how to handle do not call list scrubbing alongside your SMS program, those are separate jobs. Double opt-in covers your consent documentation. DNC scrubbing covers the separate regulatory layer for voice calls.
How does double opt-in interact with the National DNC Registry?
The National Do Not Call Registry, governed by 47 C.F.R. § 64.1200, applies mainly to telephone solicitations, meaning voice calls. [8] The FCC's position is that the DNC rules also reach text messages sent with autodialing technology, because a text counts as a "call" under 47 U.S.C. § 227(b)(1)(A). [1]
Here's where it layers. Even if someone double opted in to your SMS list, if their number sits on the National DNC Registry you have a problem for voice calls. If you later try to call them instead of text, their DNC registration stands regardless of their SMS opt-in. Consent for texts is not automatically consent for calls.
For pure SMS programs, the more relevant overlay is the internal do-not-contact list you have to maintain. TCPA requires you to keep your own company-specific DNC list and honor STOP requests. The National Registry is an extra check for voice, but your internal opt-out list is non-negotiable for both channels.
If you need to pull or check the National Registry for your call program, our guides on how do i get the do not call list and do not call telemarketer list registration are your starting points.
What are the most common double opt-in mistakes that defeat your defense?
The mistakes that actually sink teams in litigation:
Sending a marketing message in the confirmation text. That message must request confirmation. Any promotional content in it means you sent marketing before consent was confirmed.
Using an ambiguous confirmation keyword. "Reply Y" where Y could mean yes to something else in the thread creates arguments. "Reply YES to confirm" is unambiguous.
Failing to scrub unconfirmed contacts after a reasonable window. Industry practice is 24 to 48 hours for the confirmation window. After that, the unconfirmed record should not receive marketing messages. Some platforms leave unconfirmed contacts in an active queue forever, which is a disaster.
Not retaining the exact text of the consent disclosure. You can have a beautiful confirmation reply log and still lose a TCPA motion if you can't prove what the subscriber saw and agreed to at step one.
Buying a list that was supposedly double opted in by a third party and treating it as your own. The FCC's one-to-one rule made this far more dangerous. [6] Their opt-in record isn't your opt-in record unless it named you specifically.
Changing platforms and losing the historical logs in the migration. Back up consent records before any platform switch. Every platform has a different export format, and consent records don't always move cleanly.
How should you set up double opt-in if you're starting from scratch?
Start with your consent form, not your platform. The form needs to disclose who will be texting (your legal brand name), that they'll get marketing messages specifically, approximate message frequency, that message and data rates may apply, and how to opt out. This is basic FCC compliance before double opt-in even enters the picture. [2]
Pick a platform with native double opt-in and built-in logging. Most serious SMS marketing platforms (Klaviyo, Postscript, Attentive, SimpleTexting, and others) support this. The platform logs the inbound confirmation automatically. Verify that the export includes the timestamp, the subscriber's number, and the content of the confirmation reply before you commit to any platform.
Write one confirmation message. Keep it under 160 characters so it sends as a single segment. Include the brand name, a plain instruction to reply YES, a note on message frequency ("up to X msgs/month"), and a STOP opt-out mention. Test it on multiple carriers before launch.
Set a confirmation window. 24 to 48 hours is standard. When it closes, move unconfirmed contacts to a quarantine segment. Do not send them marketing messages. You can send one non-marketing reminder inside that window if your platform supports it and you're confident the initial message was genuinely solicited.
Export and archive consent records monthly. Name the files with a date and keep them in cold storage you own, more than inside the platform. Platforms get acquired, change pricing, and lose data.
If you want a full checklist for this setup, LeadCompliant's free compliance kit covers the consent form language, confirmation message templates, and record-keeping structure in one document.
Frequently asked questions
Is double opt-in required by law for SMS marketing?
No law or FCC rule mandates double opt-in by name. The FCC requires prior express written consent for marketing texts under 47 C.F.R. § 64.1200(f)(9), and double opt-in is the cleanest way to document that consent. A well-documented single opt-in can also satisfy the standard. The value of double opt-in is evidentiary: it creates a subscriber-generated record that's very hard to dispute in litigation.
Can I use a web form checkbox as my consent record without double opt-in?
A checkbox opt-in can satisfy prior express written consent if the disclosure language meets FCC requirements. The weakness is that you can't prove the person who owns that number was the one who checked the box. Someone could have typed in a wrong number or someone else's number. Double opt-in adds a confirmation from the actual device, which fills that evidentiary gap and is usually worth the list-size reduction.
How long do I need to keep SMS double opt-in records?
The TCPA statute of limitations is four years under 28 U.S.C. § 1658, so four years is the minimum from the date of the last marketing message sent to that subscriber. Many compliance programs keep records five to seven years to be safe. The records you need include the consent disclosure text, the confirmation message you sent, the subscriber's reply, and timestamps for all three events.
What happens if someone confirms opt-in and then their number gets reassigned?
Number reassignment is a real TCPA risk. Your double opt-in record proves the person at that number on that date consented. If the number was later reassigned and you kept texting, the new owner of that number has a claim. Scrub your list against the FCC's Reassigned Numbers Database regularly to catch reassignments before you text an unintended recipient. The database lives at reassigned.us.
Does the FCC's 2024 one-to-one consent rule require double opt-in?
No, it doesn't require double opt-in specifically. But the one-to-one rule requires that prior express written consent name your specific company, not a broad category of partners. Double opt-in from your own platform confirming consent to your brand is the most reliable way to document that single-seller consent requirement under FCC 23-107.
Can I buy a list that was double opted in by a lead generator and use it for my SMS campaigns?
After the FCC's one-to-one consent rule, this is very high risk. The opt-in record must name your specific company. A lead generator's generic form that says 'our partners may contact you' no longer satisfies the written consent requirement for your brand. You'd need to confirm the lead generator's form specifically named you and that the subscriber confirmed consent to you.
What should a compliant double opt-in confirmation text say?
Keep it under 160 characters. Include your brand name, a clear instruction ("Reply YES to confirm"), a note on message frequency, a mention that message and data rates may apply, and how to opt out (reply STOP). Do not include promotional content in the confirmation text itself. That message should do one thing: ask for confirmation. Any offer in it creates a consent timing problem.
Does double opt-in protect against all TCPA claims?
No. Double opt-in addresses the prior express written consent element, which is often the central issue. But TCPA liability also depends on whether you used an automatic telephone dialing system, whether the technology qualifies as an ATDS under current case law, whether you honored opt-outs promptly, and whether the calls or texts were actually marketing. Clean consent records help, but they're one layer of defense, not the whole picture.
What is the difference between prior express consent and prior express written consent for SMS?
Prior express consent is the standard for informational texts like appointment reminders. Prior express written consent is the higher standard for marketing texts, per the FCC's 2012 rules effective October 2013. Written consent requires a signed agreement that clearly discloses the marketing nature of the messages and confirms the person isn't required to consent as a condition of purchase. Electronic signatures and text-based confirmations count as written consent.
How does double opt-in affect SMS deliverability and list size?
Realistically, you'll lose somewhere between 15% and 40% of initial sign-ups who never complete confirmation. That's people who gave wrong numbers, weren't paying attention, or changed their mind. The remaining confirmed list tends to have lower complaint rates and higher engagement. From a purely financial standpoint, one unconfirmed subscriber who becomes a TCPA plaintiff costs more than a year of successful campaigns earns.
Is double opt-in enough if my consent disclosure language is bad?
No. Double opt-in confirms that the subscriber received and replied to your message. It does not fix bad disclosure language at step one. If your consent form didn't clearly disclose that marketing texts would be sent, didn't name your company, or made consent a condition of purchase, the confirmation doesn't cure those defects. The disclosure at step one and the confirmation at step two both have to be right.
Do TCPA consent rules apply to texts sent manually, not via an autodialer?
The TCPA's prior express written consent requirement for marketing messages to cell phones applies specifically to messages sent using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice. Truly manual one-at-a-time texts from a regular phone may not trigger the written consent requirement, though this area of law is actively contested in courts. In practice, most bulk SMS platforms qualify as or resemble an ATDS.
What have courts said about the importance of SMS consent records in TCPA cases?
Courts across multiple circuits have consistently held that the burden of proving prior express consent lies with the sender. If you can't produce a consent record, you generally lose on that element. The Ninth and Eleventh Circuits have been especially active on TCPA issues. The inability to produce clean consent documentation is the single most common reason defendants settle TCPA cases rather than fight them.
Sources
- Cornell Law School LII, 47 U.S.C. § 227 (TCPA statute text): TCPA imposes $500 per violation damages and $1,500 for willful violations; prohibits autodialed texts to cell phones without prior express consent
- FCC, 2012 TCPA Rules (Report and Order FCC 12-21, effective October 16, 2013): FCC required prior express written consent for marketing texts; defined written consent requirements including clear disclosure and non-conditioning on purchase
- eCFR, 47 C.F.R. § 64.1200 (Code of Federal Regulations, FCC rules): 47 C.F.R. § 64.1200(f)(9) defines prior express written consent, requiring a written agreement with a clear and conspicuous disclosure of marketing communications
- Cornell Law School LII, 28 U.S.C. § 1658 (federal statute of limitations): The four-year federal statute of limitations under 28 U.S.C. § 1658 applies to TCPA claims
- FCC, Report and Order FCC 23-107 (December 2023, one-to-one consent rule): FCC adopted one-to-one consent rule requiring prior express written consent to name a specific seller, scheduled to take effect January 27, 2025
- California Legislative Information, California Codes (Civil Code and Business and Professions Code): California has state-level consumer protection and data retention obligations that run parallel to TCPA for California residents
- FTC, National Do Not Call Registry (donotcall.gov): The National DNC Registry applies to telephone solicitations including texts sent via autodialing technology
- FCC, Reassigned Numbers Database (reassigned.us): The FCC-authorized Reassigned Numbers Database helps callers and texters verify whether a number has been reassigned to a new subscriber
- eCFR, 47 C.F.R. § 64.1200(a)(1) (autodialed and prerecorded calls and texts to cell phones): FCC rules confirm that text messages are subject to TCPA restrictions, including consent requirements for automated or bulk texts to cell phones