Last updated 2026-07-10

TL;DR
Send a marketing text with an autodialer or prerecorded voice and you need prior express written consent (PEWC) first. That means a written, signed agreement with clear disclosures. The FCC set this rule in 2012 at 47 C.F.R. § 64.1200(f)(9). Get it wrong and each message costs $500, or $1,500 if the violation is willful. Class actions reach tens of millions.
What is prior express written consent under the TCPA?
Prior express written consent (PEWC) is the strictest consent standard in the Telephone Consumer Protection Act. You need it any time you send a marketing or promotional text using an automatic telephone dialing system (autodialer) or a prerecorded voice.[1]
The FCC defined PEWC in its 2012 omnibus order (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, 27 FCC Rcd 1830). The rule lives at 47 C.F.R. § 64.1200(f)(9), which says prior express written consent means "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice."[3]
That is a direct quote from the regulation. Every word carries weight. "Agreement in writing" includes electronic records under the E-SIGN Act, so a web form checkbox counts if the rest of the requirements are met. "Signature" includes an e-signature or a typed name. And "clearly authorizes" means the consent cannot hide in a terms-of-service page or ride along with a purchase.
Two lower tiers sit below PEWC. "Prior express consent" (no "written") covers informational or transactional calls and texts to a number the consumer gave the business. PEWC kicks in the moment the message turns promotional. Offering a discount, announcing a sale, pushing a product? You need PEWC. There is no gray area.
When is express written consent required under the TCPA?
Any time an autodialer or prerecorded voice delivers advertising or telemarketing content to a cell phone, you need prior express written consent first.[1][3] That is the whole trigger. Marketing content plus automated technology plus a mobile number equals PEWC.
The TCPA at 47 U.S.C. § 227(b)(1)(A)(iii) bars any call "using any automatic telephone dialing system or an artificial or prerecorded voice" to a cellular number "without the prior express consent of the called party." The FCC's 2012 rulemaking raised the bar to "prior express written consent" for marketing messages specifically, pulling them out of the informational bucket.[3]
Here is how the tiers line up in practice:
| Message type | Technology used | Consent required |
|---|---|---|
| Marketing / promotional text | Autodialer or prerecorded | Prior express WRITTEN consent |
| Informational text (e.g., package shipped) | Autodialer | Prior express consent (non-written is enough if number was voluntarily provided) |
| Live-agent outbound call to cell | No autodialer | Ordinary business contact rules; DNC list compliance still required |
| Robocall to cell with marketing content | Autodialer or prerecorded | Prior express WRITTEN consent |
One nuance trips people up constantly. A dual-purpose text (it confirms an order but also throws in a 10% off coupon) gets treated as marketing. The promotional element controls. The 2012 FCC order says outright that calls combining informational and telemarketing content fall under the higher standard.[3]
The 2023 one-to-one consent rule (Report and Order, FCC 23-107) added another layer on January 27, 2025. A consumer's consent to one seller no longer transfers to a separate, unrelated seller. Lead generators who sold a single consent form to 50 companies lost that model overnight.[4]
What must a valid TCPA consent disclosure actually say?
The written agreement has to contain two specific elements before the consumer signs. Miss either one and the consent is void.[3]
First, the consumer must not be required to sign as a condition of buying any property, goods, or services. A checkout page that forces a texting opt-in before you can complete the purchase fails the TCPA. The opt-in has to be genuinely optional.
Second, the agreement must include the telephone number to which the signer authorizes messages to be delivered. The consumer consents to messages on a specific number, not generically forever.
Beyond those two elements, the FCC's 2012 order and the FTC's parallel TSR rules expect the disclosure to name the seller, describe the type and general frequency of messages, and warn that message and data rates may apply.[3][5] The message-rate line is not in the TCPA statute itself. It shows up in the CTIA short code guidelines and FCC informal guidance, and courts have pointed to its absence as evidence that consent was not clearly given.
A minimal compliant consent block reads like this: "By checking this box, you agree to receive recurring marketing text messages from [Company Name] at the phone number provided. Message and data rates may apply. Consent is not a condition of purchase. Reply STOP to unsubscribe."
That is the floor. Some attorneys add message frequency ("up to 4 messages/month") and a privacy policy link. More detail usually means better protection when you get sued.
Keep a timestamped record of exactly what the consent language said when the consumer opted in, plus the IP address, the page URL, and the date. Courts have handed plaintiffs $1,500 per-message treble damages when the defendant could not produce its consent records.[1]
What does the TCPA require a business to disclose on marketing calls and texts?
The TCPA statute says little about message content, but the FCC's implementing rules at 47 C.F.R. § 64.1200 fill the gap. Here is what outbound marketing calls and texts have to include.[3]
On any telemarketing call, live or automated, the caller states three things at the start: the name of the individual calling, the name of the business the call is for, and a phone number or address where that business can be reached.[3] That last piece feeds the caller ID rules in the next section.
For texts specifically, the FCC has applied these same principles in orders going back to 2003. A marketing text cannot misrepresent who sent it. It has to include an opt-out mechanism (usually "Reply STOP to unsubscribe") that the sender honors within a reasonable time. The FCC has treated 10 business days as a safe harbor for processing opt-outs, though most TCPA practitioners push for same-day or next-business-day to be safe.[3]
The FTC's Telemarketing Sales Rule (TSR) at 16 C.F.R. Part 310 also requires you to disclose the seller's identity and that the call is a sales call before any pitch, and it covers many of the same companies the TCPA does.[5] Run both calls and texts and you are living under both rulebooks at once.
One disclosure the TCPA does not require but you should add anyway: a clear description of what the consumer signed up for. Vague consent ("receive updates from us") gets attacked in litigation as failing to clearly authorize the advertisements or telemarketing messages the statute names.
What does the TCPA require regarding caller identification information?
Section 227(e) of the TCPA bars caller ID spoofing done for fraudulent or harmful purposes. The FCC's Truth in Caller ID rules at 47 C.F.R. § 64.1604 prohibit anyone from causing a caller ID service "to transmit or display misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value."[1]
For legitimate outbound telemarketers, the practical rules are:
1. The Caller ID has to display a number that actually reaches the calling business or agent during normal business hours. No dead numbers, no numbers you do not control. 2. The displayed name (CNAM, Caller ID Name) must accurately represent the business. A fake company name is a violation. 3. For texts, the sending number (long code, short code, or toll-free) has to tie back to your business so the consumer can identify and contact you.
The FCC has hit companies with fines in the tens of millions for spoofing. In 2021 it proposed a $225 million fine against Texas-based telemarketers for spoofed robocalls, the largest spoofing fine in agency history at the time.[1]
The STIR/SHAKEN framework, adopted under the TRACED Act (Pub. L. No. 116-105), makes voice providers authenticate caller ID on IP networks. That is a carrier obligation, not a direct sender one. But if your calls land as "Scam Likely" because of weak STIR/SHAKEN scores, no consent record saves you from the call blocking and reputation hit that follow.[8]
For SMS: A2P 10DLC registration, required since 2023 for most business texting, links your sending numbers to your registered brand and campaign. Carriers now filter unregistered numbers. It is the closest thing texting has to caller-ID authentication, and it is functionally mandatory even though the TCPA itself never mentions it.
What is required under the TCPA when making automated marketing calls?
Automated marketing calls to cell phones need PEWC, as covered above. On top of consent, a stack of operational rules applies.[3]
Time restrictions. 47 C.F.R. § 64.1200(c)(1) bans telemarketing calls before 8 a.m. or after 9 p.m. local time at the called party's location. This covers texts too. The FCC treats texts as "calls" under the TCPA, so the same window applies.[3]
Do Not Call compliance. PEWC does not exempt you from the National Do Not Call Registry. A consumer who gave written consent for marketing texts can still register on the DNC list, and once they do, you stop. PEWC and DNC are independent obligations. The FCC's rules at 47 C.F.R. § 64.1200(c)(2) require you to keep an internal DNC list and scrub against the national registry every 31 days.
Opt-out honoring. Once a consumer revokes consent, you honor it. The FCC's 2024 Declaratory Ruling (FCC 24-75) said consumers can revoke through any reasonable means: replying STOP, telling an agent verbally, sending an email. You cannot contractually limit how they revoke.[9] That ruling caught plenty of companies flat-footed.
Called party verification. Misdial or hit a reassigned number and you can still face liability. The FCC's reassigned numbers database exists to help callers dodge this. Checking it before dialing is not legally required, but courts increasingly treat it as a reasonable precaution.[12]
Want to see what these violations cost once they pile up across a customer base? Look at UnitedHealthcare ($2.5 million) and Credit One Bank. These are not edge cases. They are what consent gaps produce when they compound over high-volume campaigns.
How did the FCC's 2023 and 2024 rule changes affect consent for marketing texts?
Two FCC orders from late 2023 and mid 2024 rewrote the consent map for lead generators and multi-seller campaigns. If your consent forms or vendor contracts predate January 2025, they may already be dead weight.
The first is FCC Report and Order FCC 23-107, adopted November 2023 and effective January 27, 2025. It closed what the FCC called the lead generator loophole. Under the old rules, a consumer who checked a box on a comparison-shopping site was arguably consenting to texts from every "marketing partner" buried in the fine print. The FCC ended that. Consent now has to be one-to-one: a single consent form authorizes texts from one named seller at a time. The consumer must affirmatively pick each seller.[4]
The second is FCC Declaratory Ruling FCC 24-75, adopted July 2024. It confirmed that consumers have a broad right to revoke TCPA consent through any reasonable method, and it rejected attempts to box revocation into a single channel like a website form. The ruling gave companies a 10-business-day safe harbor to process revocations sent through non-standard channels, but the right to revoke cannot be waived.[9]
Together, these two orders mean:
- Consent forms naming "our partners" or using broad category language are now invalid for autodialed marketing texts.
- Contracts saying "you may only opt out by visiting our website" are unenforceable as to TCPA revocation.
- Companies that leaned on purchased lead lists where one form covered 20 sellers have a compliance gap to close.
The text message marketing landscape looks nothing like 2022 because of these two orders. Rewrite the old forms.
What consent records do you actually need to keep, and for how long?
The TCPA sets no retention period, but the statute of limitations for a TCPA lawsuit is four years under 28 U.S.C. § 1658, the catch-all federal limitations period. That is your practical minimum. Keep consent records at least four years from the last contact with a subscriber. Many attorneys say five.
What the record needs to contain:
- Date and time of consent collection (a UTC timestamp is fine)
- The exact consent language shown to the consumer at that moment
- The consumer's phone number as entered
- IP address of the device used to opt in
- Page URL where the form appeared
- The consumer's affirmative action (checked box, typed signature, and so on)
This is not filler paperwork. In TCPA litigation, the defendant carries the burden of proving consent. If you cannot produce a clean record, the plaintiff's claim that they never consented gets treated as credible. Courts have granted summary judgment for plaintiffs when defendants offered only bulk spreadsheets with no individual timestamps.[1]
Store consent records in a system that creates an immutable log. If a record can be edited after the fact without an audit trail, opposing counsel will argue you fabricated it. A write-once, append-only database, or a third-party consent management platform, gives you something you can hand a court without flinching.
A well-structured spreadsheet beats nothing, as long as the timestamps come straight from the form submission system and not from someone typing them in later.
What are the real financial risks of getting TCPA consent wrong for text campaigns?
The TCPA sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for knowing or willful ones.[1] Each text to each recipient is a separate violation. That is the number that turns a routine campaign into a bet-the-company problem.
Run the math. A campaign that texts 100,000 people without valid PEWC exposes you to $50 million at $500 per message, or $150 million at the treble level. Courts can reduce awards that look disproportionate. They also do not have to.
Real settlements land below the theoretical ceiling because class actions settle before trial, but they stay large. The Truist Bank TCPA class action settlement, the Cash App TCPA class action settlement, and the Albertsons/Safeway TCPA settlement each reached multi-million-dollar figures. None were unique bad actors. They were companies with volume texting programs and consent gaps.
Small companies are not safe either. A single plaintiff can file an individual TCPA case for every message they got. Serial TCPA plaintiffs (people sometimes call them professional plaintiffs) hunt for non-compliant senders, and even an individual suit costs real money once you factor in legal fees to defend it.
The honest calculus: if you are running 50,000 numbers with shaky consent provenance, the expected cost of a class action settlement almost certainly beats the cost of rebuilding your list with clean PEWC. The Kaiser TCPA settlement shows how large these get even in healthcare.
Does the TCPA apply to texts sent from regular 10-digit long codes?
Yes, with real nuance. The TCPA's autodialer restriction bites when a sender uses equipment that "has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator" and dials automatically.[1] The Supreme Court's 2021 ruling in Facebook v. Duguid (592 U.S. 395) narrowed that definition: a system has to use a random or sequential number generator, more than a stored list, to count as an autodialer under the statute.[10]
What that means on the ground: texting platforms that pull numbers from a list and send in sequence may not be autodialers under Duguid, depending on their architecture. Some platforms re-engineered their back ends specifically to escape the definition after Duguid. Whether that holds is still being fought out across the circuits.
Many platforms still use random or sequential generation somewhere in their stack. And state mini-TCPAs (California, Florida, Oklahoma, and others) often use broader autodialer definitions that ignore the Duguid standard entirely. Florida's Mini-TCPA (Fla. Stat. § 501.059) covers any "automated system for the selection or dialing of telephone numbers," which reaches well past Duguid.[11]
The safe move is to treat every bulk texting platform as potentially TCPA-covered and get PEWC anyway. A Duguid argument is a defense you raise after you get sued. It is not a compliance plan.
If you run text messaging marketing programs, audit your platform architecture with counsel before you launch at scale.
How should you structure a consent form to meet the FCC's official standard?
There is no FCC-approved template. But the regulation plus a decade of litigation outcomes hand you a clear blueprint.
The consent form must:
1. Sit separate from purchase or account-creation flows, or at minimum use an unchecked, optional checkbox that is not required to proceed. 2. Name the specific company sending the texts. After the 2025 one-to-one rule, "our partners" or a hyperlinked list does not satisfy this for autodialed marketing texts.[4] 3. Reference the phone number messages go to. In practice, the consumer enters or confirms their number on the same form. 4. Describe the content as advertising or marketing, not as "updates" or "information." 5. Capture the consumer's signature, which under E-SIGN can be an e-signature, a typed name, or an affirmatively clicked checkbox.
Beyond the legal floor, good forms specify rough message frequency ("up to 8 messages per month"), note that message and data rates may apply, and link the privacy policy.
Store a static screenshot or version-controlled copy of the exact consent page for every date it was live. Update the language in March 2025 and the consent you collected in January is still governed by the January text, not the March text. Courts care about what the consumer actually saw.
LeadCompliant's compliance kit includes a TCPA consent form template with the required elements marked off. It is a starting point, not legal advice. Have your own attorney review any form before you deploy it.
To see what happens when consent processes break down, the Joseph Snyder v. Credit One TCPA case shows how courts pick apart consent records in discovery.
Can you get oral consent for marketing texts, or does it have to be in writing?
Oral consent does not satisfy the TCPA's written consent requirement for marketing texts. The 2012 FCC order is blunt: the agreement must be "in writing, bearing the signature of the person called."[3] An oral agreement, even a recorded one, does not clear that bar.
Oral consent works for informational or transactional texts when the consumer handed you their number inside an existing relationship. The instant the message carries advertising content, that lower standard falls away.
This matters for businesses that grab phone numbers during inbound sales calls. A customer calls your 800 number and gives you their cell? That is prior express consent for account-related texts. It is not PEWC for marketing texts. You have to collect written consent separately, either through a written opt-in (like a text-to-join short code) or a PEWC element in a post-call confirmation email or web form.
Some companies try to skate by having agents read a consent disclosure on the call and asking the consumer to say "I agree." That fails the written requirement. A cleaner route is a follow-up confirmation text: "Reply YES to confirm you agree to receive marketing texts from [Company]. Msg&data rates may apply. Not required to purchase." A YES reply is a written agreement under E-SIGN and does satisfy PEWC, as long as the disclosure in the text meets the substantive requirements.
For teams tracking FCC orders and enforcement, the tcpa news section covers new rulings and major case outcomes as they land.
Frequently asked questions
When is express written consent required under the TCPA?
Prior express written consent is required before any marketing or promotional text sent with an autodialer or prerecorded voice. This took effect in October 2013 under the FCC's 2012 omnibus TCPA order. If the message carries any advertising content, like a discount, promotion, or product pitch, you need written consent. Informational or transactional messages can use the lower prior express consent standard.
What is express consent under the TCPA?
Express consent is a consumer's affirmative agreement to receive calls or texts. The TCPA has two tiers: prior express consent (non-written, enough for informational calls to a number the consumer voluntarily provided) and prior express written consent (required for marketing messages). Express consent is never implied from a business relationship or a past purchase. It takes an affirmative act by the consumer.
What requires prior express written consent under the TCPA?
Any autodialed or prerecorded marketing message to a cell phone requires prior express written consent. That covers promotional SMS, MMS, ringless voicemails, and robocalls advertising goods or services. The FCC's 2012 rulemaking codified this at 47 C.F.R. § 64.1200(f)(9). Purely informational messages, like a delivery notification with no promotional content, can use the lower consent standard.
What does the TCPA require a business to disclose to the consumer?
At the consent stage, the business clearly identifies itself by name and describes the messages as advertising or telemarketing. It states that consent is not a condition of purchase and references the phone number being authorized. During marketing calls, the caller also states the name of the person calling, the business the call is for, and a contact number or address, per 47 C.F.R. § 64.1200.
What does the TCPA require regarding caller identification information?
The TCPA's Truth in Caller ID provisions at 47 U.S.C. § 227(e) and 47 C.F.R. § 64.1604 bar transmitting inaccurate or misleading caller ID with intent to defraud or harm. Outbound telemarketers have to display a number that reaches the business during normal hours and cannot use a fake company name as the CNAM display. For texts, the sending number has to be registered and tied to the sender's brand.
What is required under the TCPA when making automated marketing calls?
Automated marketing calls to cell phones require prior express written consent, cannot be placed before 8 a.m. or after 9 p.m. local time, must identify the caller and the company, and must include an opt-out mechanism. The company honors Do Not Call registrations and processes any revocation promptly. The FCC's 2024 ruling confirmed consumers can revoke through any reasonable means, more than one designated channel.
Does the Supreme Court's Facebook v. Duguid decision change TCPA consent requirements?
Duguid narrowed the autodialer definition but left the consent requirements alone. PEWC is still required for marketing texts sent by systems using random or sequential number generation. Many platforms still qualify as autodialers under this definition, and state mini-TCPAs use broader definitions Duguid does not limit. Treating all bulk texting as TCPA-covered stays the safest practical approach.
Can a business buy a lead list and claim consent from a third party?
Not anymore for marketing texts. The FCC's January 2025 one-to-one consent rule requires each consumer to give consent directly to the specific seller sending the texts. A form covering multiple unnamed partners does not satisfy PEWC for autodialed marketing messages. Businesses relying on purchased lead lists need to verify consent was collected with their company specifically named on the original form.
How long do you have to honor an opt-out from marketing texts?
The FCC's 2024 Declaratory Ruling set a 10-business-day safe harbor for processing opt-outs received through non-standard channels. For standard opt-outs (a STOP reply to a text), many TCPA practitioners recommend same-day or next-business-day processing. Any marketing text sent after a valid opt-out is a separate TCPA violation, so opt-out delays multiply liability fast.
What records do I need to prove TCPA consent in a lawsuit?
You need the timestamp of consent collection, the exact consent language shown at that time, the consumer's phone number as entered, the IP address, and the page URL. Courts put the burden of proving consent on the defendant. Spreadsheets without individual timestamps, or records that can be edited after the fact, have failed to satisfy courts. A system with immutable audit logs is the safest storage. Retain records four to five years.
Does the TCPA time-of-day restriction apply to text messages?
Yes. The FCC treats texts as "calls" under the statute, so the time restriction at 47 C.F.R. § 64.1200(c)(1), which prohibits calls before 8 a.m. or after 9 p.m. local time, applies to texts. Local time means the called party's location, not the sender's. A California business texting a Florida customer at 7:45 p.m. PT is texting at 10:45 p.m. ET. That is a violation.
Can a consumer's consent for marketing texts ever expire?
The TCPA sets no explicit expiration period, but courts have found that long gaps between consent collection and the start of a campaign can undermine the claim that consent was still valid. An FCC-recognized principle is that consent must be to receive the type of messages actually sent. Consent collected for one campaign may not cover a different campaign launched years later under a different brand or product line.
Is a pre-checked checkbox on a web form valid TCPA consent?
No. Valid PEWC requires the consumer's affirmative action. A pre-checked checkbox is not an affirmative act, so it fails the signature requirement. Courts and FCC guidance consistently require the consumer to check the box themselves, type their name, or take some other deliberate step. Pre-ticked forms are among the most common consent errors found in TCPA litigation.
How does the TCPA interact with the CAN-SPAM Act for text messages?
CAN-SPAM applies to commercial email, not SMS. Text message marketing is regulated by the TCPA and FCC rules, not CAN-SPAM. The FTC's Telemarketing Sales Rule may also apply to text campaigns that sit inside a broader telemarketing program. The two regimes do not overlap directly, but companies running both email and text campaigns manage consent and opt-outs separately under each framework.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed or prerecorded calls to cellular numbers without prior express consent; sets $500–$1,500 statutory damages per violation and bars misleading caller ID with intent to defraud
- Code of Federal Regulations, 47 C.F.R. § 64.1200, FCC TCPA implementing rules (defining prior express written consent at (f)(9)): Defines prior express written consent, requires caller identification disclosures, time-of-day restrictions (8 a.m.–9 p.m.), and Do Not Call compliance for telemarketing calls and texts
- FCC Report and Order FCC 23-107, One-to-One Consent Rule (adopted Nov. 2023, effective Jan. 27, 2025): FCC closed the lead generator loophole; requires one-to-one consent naming a single seller for autodialed marketing texts, effective January 27, 2025
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires disclosure of seller identity and sales purpose before a sales pitch; applies in parallel with TCPA to many outbound marketing programs
- U.S. Congress, TRACED Act, Pub. L. No. 116-105 (2019): TRACED Act required FCC to mandate STIR/SHAKEN caller ID authentication on IP networks to combat robocall spoofing
- FCC Declaratory Ruling FCC 24-75, Consent Revocation (adopted Feb. 2024): FCC ruled consumers may revoke TCPA consent through any reasonable means; established 10-business-day safe harbor for processing non-standard revocations
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed TCPA autodialer definition; system must use random or sequential number generator to qualify, not merely dial from a stored list
- Florida Statutes § 501.059, Florida Telephone Solicitation Act (Mini-TCPA): Florida Mini-TCPA covers any 'automated system for the selection or dialing of telephone numbers,' broader than the Duguid standard
- FCC, Reassigned Numbers Database: FCC established a reassigned numbers database to help callers avoid contacting people who did not consent because their number previously belonged to someone who did