Last updated 2026-07-09

TL;DR
You cannot legally send marketing SMS to anyone who hasn't given prior express written consent under the TCPA (47 U.S.C. § 227). A compliant opt-in flow needs a clear opt-in mechanism, specific disclosures about frequency and content, an easy opt-out path, and a documented record of every consent. Skip those, and each text can cost $500 to $1,500.
What does the TCPA actually require before you send a marketing text?
Written consent. That's the short version, and the FCC has made the word "written" do a lot of work.
Section 227(b)(1)(A) of the Telephone Consumer Protection Act prohibits using an automatic telephone dialing system or a prerecorded voice to call or text any cell phone without the called party's prior express consent [1]. For marketing messages, the FCC's 2012 rule raised the bar to "prior express written consent," defined in 47 C.F.R. § 64.1200(f)(9) [2]. That rule took effect October 16, 2013, and has governed commercial SMS ever since.
What counts as written consent? A signed written agreement, where "signed" includes an electronic or digital signature. A checked box on a web form works. A keyword reply to a short code works ("Text YES to 55555"). A paper form with a real signature works. What fails: a phone number scribbled on a business card, an opt-in at a trade show with no disclosures on the form, or consent buried inside a general terms-of-service that never mentions texting.
The rule says the agreement must "clearly and conspicuously" authorize the seller to send automated texts, and it must state the phone number to which messages may be sent [2]. That phrase has generated years of litigation. Courts read it to mean a reasonable consumer would notice and understand the consent language, not that it technically exists somewhere in six-point gray type.
For a plain-language overview of how these rules connect, see our article on tcpa.
Is true SMS "cold outreach" even legal under TCPA?
A cold text to someone who's never heard of you and never gave consent is a TCPA violation the moment you send it, if you used an autodialer or any automated platform to send it [1]. That covers most modern texting software. So no, pure cold texting is not legal.
People conflate cold calling with cold texting. Cold calling a landline has a different consent standard (prior express consent, not written consent), and cold calling a mobile number you scraped is already risky under cold calling rules. Marketing texts sit at the highest consent standard the FCC recognizes. There is no cold marketing text exception. None.
The only legal path to SMS outreach is to build the opt-in before the text goes out. Some teams do this with:
- A lead generation web form that captures consent at the point of data collection
- An inbound phone call where the rep gets verbal consent and records it
- A paid ad with an embedded SMS opt-in (compliant lead gen ads on Meta, for example)
- A physical sign-up at an event with the required disclosures printed on the form
None of those are cold outreach in the pure sense. The opt-in is the outreach. Get consent first, then text.
The FCC's 2024 1-to-1 consent rule, vacated by the Eleventh Circuit in January 2025 on procedural grounds, would have required that consent name the specific seller [3]. That rule isn't in force. The litigation trend behind it is very much alive. Courts and plaintiffs' attorneys are looking hard at whether consent was actually specific to your company. Buying a list of "SMS consented" leads where someone opted in to hear from "marketing partners" is dangerous ground.
What are the required disclosures in an SMS opt-in?
The FCC's regulations at 47 C.F.R. § 64.1200(f)(9) require that prior express written consent include a clear and conspicuous disclosure that [2]:
1. The person authorizes the seller to deliver advertisements or telemarketing messages using an automatic telephone dialing system or an artificial/prerecorded voice. 2. Consent is not a condition of purchasing any property, goods, or services.
That second point is non-negotiable. If your web form says "Enter your phone number to complete your purchase" and that number lands in your SMS marketing list, you have a problem. Consent can't be tied to a transaction.
Beyond the federal floor, the CTIA (the wireless industry trade group) publishes messaging guidelines that carriers and aggregators enforce at the network level [4]. Their guidelines add:
- The message frequency ("up to 4 msgs/month" or "recurring messages")
- "Message and data rates may apply"
- Opt-out instructions ("Reply STOP to cancel")
- Help instructions ("Reply HELP for help")
- Your brand or company name in the first message
Carriers reject or filter messages from short codes or 10DLC numbers that ignore these CTIA disclosures, regardless of TCPA liability. So you're facing two separate enforcement paths at once: federal lawsuits and carrier-level blocking.
A compliant opt-in disclosure reads something like this (adapt the specifics to your situation):
"By checking this box, you agree to receive automated marketing text messages from [Company Name] at the phone number provided. Message frequency varies. Message and data rates may apply. Consent is not a condition of purchase. Reply STOP to unsubscribe or HELP for help."
That's the floor. Some legal teams add a link to a dedicated SMS privacy policy. Good practice, especially in a regulated industry.
How do you structure the opt-in flow step by step?
Here's the actual architecture, in sequence.
Step 1: Capture the phone number and consent together. The opt-in has to happen at the same moment you collect the number. A separate, clearly labeled SMS checkbox is cleaner than a bundled consent. Some companies add a double opt-in (a confirmation text with "Reply YES to confirm") for a second layer of proof. Double opt-in isn't required by federal law, but the CTIA strongly recommends it for marketing programs [4].
Step 2: Deliver the required disclosures at the point of opt-in. All the language from the previous section must sit near the checkbox or input field, in readable font, before the user submits. Not in a modal behind a link. Not in a general privacy policy. Right there.
Step 3: Send a confirmatory text immediately. The first text should name your company, confirm the opt-in, state the message frequency, and include opt-out instructions. Example: "You're subscribed to [Company] alerts. Msg freq: up to 4x/mo. Msg&Data rates may apply. Reply STOP to cancel, HELP for help."
Step 4: Log the consent with timestamp, IP address, form URL, and the exact disclosure language shown. This is the step most small teams skip, and it's what saves you in litigation. If a plaintiff claims they never opted in, you need the exact timestamp, the IP address, the specific version of your opt-in form they saw, and the disclosure language present at that moment. Screenshot your form on every deploy. Store the records.
Step 5: Honor opt-outs immediately. Once someone replies STOP (or any recognized opt-out word), your platform must suppress that number from future messages. The CTIA and most carrier agreements require this within seconds for compliant programs. A delayed opt-out is a TCPA violation [4].
Step 6: Scrub against the Do Not Call registry before texting. The FTC's National Do Not Call Registry applies to text messages that count as telemarketing [5]. Registrants have an independent right not to receive marketing texts even if they consented at some point, unless they specifically consented to your company. For how to pull that list, see how do i get the do not call list.
LeadCompliant's free compliance kit includes a consent language template and a pre-send checklist that maps to these six steps. Worth running through before you build or rebuild your form.
What records do you need to keep, and for how long?
Keep every consent record for at least four years. The TCPA itself doesn't set a retention period, but the statute of limitations for a TCPA claim is four years under 28 U.S.C. § 1658 [6]. You need records that can defend any text you sent in the last four years, because that's how long a plaintiff has to come after it.
Keep the following:
- The timestamp and IP address of the opt-in
- The exact disclosure language the user saw (the version live at the time, more than the current version of your form)
- The phone number as submitted
- Any double opt-in confirmation records (inbound YES reply, timestamp)
- Opt-out records with timestamps
For web form opt-ins, the cleanest setup is a dedicated database table that writes a new record on every submission, includes a hash or screenshot reference of the form version, and never gets overwritten. Consent management platforms like Jornaya or TrustedForm can provide independent third-party documentation of the web session, which carries real evidentiary weight [7].
For verbal consent (phone opt-in), record the call and keep the recording. The rep should read a script that mirrors the written disclosure requirements. Log the call timestamp, the agent ID, and the phone number in your CRM immediately.
Send high volumes and a class action hits, and discovery will ask you to produce consent records for every number in the alleged class. If you can't, some courts have let class certification proceed on the theory that missing records support an inference that consent was never obtained. That's not a spot you want to be in.
What are the penalties if your opt-in flow is non-compliant?
The TCPA sets statutory damages at $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing violations [1]. Each individual text message is a separate violation. That math compounds fast.
Send 10,000 marketing texts to people who didn't properly consent and you're looking at $5 million in minimum exposure before the plaintiff's lawyer even raises willfulness. Class actions multiply it.
Recent cases show how this plays out. The Cash App TCPA class action settlement was a high-profile example of what happens when consent documentation breaks down at scale (see our piece on the cash app tcpa class action settlement). The Credit One TCPA settlement is another data point on how quickly exposure compounds (see credit one tcpa settlement).
Small teams assume they're too small to be targeted. Wrong. Plaintiffs' attorneys hunt for small businesses precisely because they tend to have poor documentation, settle quickly, and don't fight. A single determined plaintiff with a screenshot of your text can trigger a demand letter that costs $15,000 to $50,000 to resolve before a class is ever certified.
State laws add another layer. Florida, Oklahoma, Washington, and several other states run their own mini-TCPA statutes, some with higher damages or broader definitions [8]. If your contacts span multiple states, you need to know which rules apply where. California's CPRA, for one, treats phone numbers as personal data and stacks data rights obligations on top of the TCPA [9].
For a rundown of what's on the do not call list and how it intersects with your SMS list, that context matters too.
How is 10DLC registration connected to opt-in compliance?
10DLC (10-digit long code) is the current US carrier system for business SMS. Since 2021, carriers have required businesses to register their brand and each messaging campaign with The Campaign Registry before sending at volume through a 10DLC number [10]. Registration means describing your use case, confirming your consent practices, and agreeing to follow CTIA guidelines.
Here's what most people miss. 10DLC registration is not the same as TCPA compliance, but it forces you to write down your consent model. When you register a campaign, you describe how you collect opt-ins. Carriers can audit that description. If it doesn't match what you're actually doing, you risk campaign suspension, which kills deliverability overnight.
The 10DLC system also sets throughput limits by trust score. A brand with a high trust score sends more messages per second. A brand with unresolved complaints or sloppy opt-out handling gets throttled or blocked. So a bad opt-in process now quietly caps your send volume later.
Short codes (5-6 digit numbers) have always needed carrier approval, and that review has always included opt-in language. Toll-free numbers used for SMS also require verification as of 2023. Whichever number type you use, the carrier layer is watching your consent practices independent of the FCC.
Building a texting program from scratch in 2025? Register your 10DLC campaign before you send a single message. The fee is small (a few dollars a month at most aggregators). The cost of sending unregistered is carrier filtering that makes your messages invisible.
What opt-in methods actually hold up in court?
Courts have ruled on a lot of opt-in mechanisms over the past decade. Here's an honest read of what has and hasn't worked.
Web form checkboxes hold up well when the disclosure sits next to the checkbox, the checkbox is unchecked by default, and you have timestamped records. Pre-checked boxes have repeatedly failed the "clear and conspicuous" standard [11].
Keyword opt-ins (text a word to a short code) work, but only if the prompt the consumer saw before texting included the required disclosures. A billboard that says "Text INFO to 55555" with no disclosure language is a problem. The disclosure has to appear wherever the call to action appears.
Lead gen ads (Meta's Lead Ads, Google's lead form extensions) can be compliant if the form carries the required disclosure language at submission. Many advertisers get this wrong by leaning on Meta's generic consent language. Your disclosure, naming your company and describing your texting program, needs to live in the custom disclaimer field.
Third-party lead purchases are the highest-risk path, full stop. Buying leads where someone supposedly consented to "marketing partners" is not compliant for your specific company under the FCC's reading. The Eleventh Circuit's January 2025 decision vacated the 1-to-1 consent rule on procedural grounds, but the FCC's general position that consent must be specific to the caller has deep roots in case law. Courts have found broad "marketing partners" consent doesn't satisfy prior express written consent for a specific seller [11].
Re-consent campaigns are worth doing when you have an old list with shaky documentation. Send a re-consent ask via email (a lower-risk channel), get explicit SMS consent from those who respond, and suppress everyone who doesn't. Your list gets smaller. Your liability gets smaller too.
How do you handle opt-outs and revocations properly?
Opt-out handling is where compliant programs fall apart operationally. Consumers can revoke consent at any time and through any reasonable means. That's settled law.
Federal TCPA case law and FCC guidance are clear that revocation can come through any reasonable channel [2]. Replying STOP to a text. Calling customer service. Emailing you. Telling a customer-facing employee. You can't restrict revocation to a single channel. The FCC's 2015 Declaratory Ruling stated that consumers may revoke consent "through any reasonable means."
What that means in practice: if someone emails your support team and says "please stop texting me," that's a valid revocation. Keep texting because they didn't reply STOP and you've violated the TCPA. Your CRM and your texting platform need a suppression workflow that connects all those channels.
For keyword opt-outs via text, the CTIA-recognized keywords are STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT. Your platform must recognize all of them and halt messaging immediately [4]. The platform response should confirm the opt-out: "You've been unsubscribed from [Company] messages. No more messages will be sent."
Keep opt-out records with the same discipline as opt-in records. Timestamp, channel, phone number. If someone re-opts in later, log that too. The re-opt-in has to meet the same disclosure standard as the original.
For mobile numbers specifically, see our notes on the mobile phone do not call list, because DNC registrations and TCPA revocations are separate suppressions that both need to happen.
What does a compliant opt-in flow look like for different industries?
The legal requirements don't change across industries. Implementation does, because the customer journey does.
Real estate / mortgage: Buyers fill out a home search or rate quote form. The SMS consent checkbox should be separate from the main submission. The disclosure must specify texts from your specific company, not from "lending partners." Mortgage draws heavy scrutiny because of the volume of complaints the CFPB receives [12].
Insurance: Same logic as mortgage. Lead aggregators sell insurance leads with bundled consent, and those consents are getting challenged more often. If you're buying leads, ask the lead gen company for their exact opt-in form and disclosure language. If they can't produce it, don't text those leads.
SaaS and tech sales: You usually have an edge here because a product trial signup or demo request is a natural consent capture point. The risk is dumping phone numbers from a data provider (Apollo, ZoomInfo) into your texting list. Those numbers carry no TCPA consent from you. Fine for manual dialing in some contexts. Not fine for automated marketing texts.
Retail and e-commerce: The Klaviyo / Attentive / Postscript checkout opt-in is well understood. The risk is sloppy build: a pre-checked box, a disclosure that doesn't name the brand, or a flow where someone accidentally opts in by entering their phone for "order updates" and then gets marketing texts. Transactional texts (order confirmations, shipping updates) carry a lower consent standard than marketing texts. Keep those programs separate.
B2B outbound: People assume the TCPA skips business contacts. It doesn't. The TCPA protects cell phones, and most business contacts use cell phones. The recipient being a business owner doesn't erase the cell phone protection. B2B texting needs the same consent framework as everything else.
For more on outbound text message marketing across these contexts, that article covers channel-specific nuance.
What tools and processes keep your opt-in compliance organized?
You don't need expensive software to do this right. You do need a system.
At minimum:
A form tool that logs submissions with timestamps and IP addresses. Most modern form tools (Typeform, Gravity Forms, HubSpot forms) do this natively. Make sure the data is accessible and exportable.
A consent documentation layer. Jornaya's LeadiD and ActiveProspect's TrustedForm generate an independent, tamper-evident certificate for each web session showing exactly what the user saw when they submitted [7]. These cost money per lead but give you strong litigation defense. For small teams sending under a few hundred texts a month, the cost may not pencil out. For anyone sending at volume, it does.
Version control on your forms. Every time you change the opt-in disclosure language, take a dated screenshot and store it. If you use a CMS, tag the deployment with the date. This lets you prove what language a specific user saw on a specific date.
A suppression list that syncs across channels. Your email platform, SMS platform, and CRM should share one suppression list. When someone opts out in any channel, that record should propagate automatically.
A DNC scrubbing process. The FTC requires you to scrub against the National DNC Registry no more than 31 days before contacting any number on a list you're calling or texting with marketing messages [5]. Most SMS platforms don't do this for you. Build the scrub into your pre-send workflow. You access the registry through the FTC's portal.
LeadCompliant has a free TCPA checklist that walks through each of these checkpoints. Useful as a starting audit even if you've already built a program.
One process note. Do a quarterly audit of your opt-in form in a fresh browser session. Go through the flow as a user would. Check that the disclosure language is visible, that the checkbox is unchecked by default, that the confirmation text arrives. Small UI changes break compliance quietly, and you won't know unless you look.
How does the FCC's evolving rulemaking affect your opt-in strategy?
The regulatory ground has shifted under everyone over the last few years, and the honest answer is that some parts are still moving. Build to the higher standard anyway.
The FCC's December 2023 order that would have required 1-to-1 consent (each consumer's consent naming one specific seller) was vacated by the Eleventh Circuit Court of Appeals in January 2025 [3]. The court found the FCC exceeded its statutory authority. That's a real shift, but it doesn't make broad "marketing partners" consent safe. Courts can still find such consent fails the "clearly and conspicuously authorized" standard in the existing regulation.
The FCC also finalized rules in 2023 tightening the treatment of reassigned phone numbers. If a number was reassigned to a new subscriber after the original owner gave you consent, you can still be liable for texting the new subscriber [3]. The Reassigned Numbers Database (RND) is supposed to help. For SMS, checking the RND before texting a number that's been sitting in your database for more than a few months is good practice.
So what do you do with an uncertain regulatory environment? Design your opt-in as if the 1-to-1 consent rule is in effect. The FCC may re-adopt a version of it with proper process, and courts are already sympathetic to the underlying principle even when the specific rule isn't in force. The cost of a clean, specific consent capture is minimal. The cost of re-consenting an entire list after a rule change is enormous.
Keep an eye on FCC proceedings at fcc.gov and on Wiley Law's TCPA tracker, which follows pending rulemakings. Nobody has clean visibility into where the rules land in 2026 and beyond. The direction of travel has been consistent: more specific, more documented consent.
Frequently asked questions
Can I text someone who gave me their phone number at a trade show?
Only if the form they completed at the show included the required TCPA disclosures: authorization to send automated texts, a statement that consent isn't required to purchase, message frequency, opt-out instructions, and your company name. A business card hand-off or a blank sign-in sheet doesn't create valid consent. If your trade show form lacked those disclosures, re-consent those contacts through another channel before texting.
Does TCPA apply to one-on-one manual texts sent from an actual phone?
Maybe not, and this is a genuinely gray area. The TCPA's autodialer ban applies to equipment with the capacity to dial randomly or sequentially from a stored list. A single human-written text from a real smartphone is harder to characterize as an ATDS violation. But state laws and certain FCC interpretations can still reach it, and courts vary. Don't treat manual texting as a TCPA-free zone without checking your state's mini-TCPA rules.
How long is an SMS consent valid?
The TCPA sets no expiration date on consent, but consent goes stale in practice. If someone consented three years ago and hasn't engaged since, a court might be skeptical. More to the point, if a phone number was reassigned to a new subscriber after the original owner consented, you can be liable for texts to the new user. Check the FCC's Reassigned Numbers Database for any number that's been in your list more than six months.
What's the difference between a transactional text and a marketing text under TCPA?
A transactional text relates to an existing transaction: order confirmation, shipping update, appointment reminder, account alert. These require prior express consent (the lower standard). A marketing text promotes a product or service and requires prior express written consent (the higher standard). The line blurs when a transactional message carries a promotional element. A shipping confirmation that also drops in a discount code is probably treated as marketing.
If I buy a list of leads, am I covered by the consent they gave the list provider?
Probably not for marketing texts. The FCC's position, backed by a string of court decisions, is that prior express written consent must clearly authorize the specific seller sending the texts. A generic consent to "marketing partners" or "companies like ours" doesn't meet that bar. If you buy leads, verify the exact opt-in language and confirm your company was named or that the consent is specific enough to cover you. In practice, that's very hard to verify.
What happens if someone opts out and then re-opts in?
A re-opt-in is valid if it meets the same requirements as the original: required disclosures, clear authorization, unchecked default, logged with timestamp. Remove the number from your suppression list only after the re-opt-in is documented. Keep both records, the opt-out and the re-opt-in, because a plaintiff who forgets they re-opted in can still file a claim, and your paper trail is the defense.
Do I have to scrub my SMS list against the National Do Not Call Registry?
Yes, if your texts count as telemarketing or telephone solicitation. The FTC's DNC rules cover text messages that promote a product or service, same as calls. Scrub against the registry no more than 31 days before contacting a number on your list. You access the registry through the FTC's portal. Numbers on the registry can still receive texts if they've given you specific prior express written consent to contact them.
What is double opt-in for SMS, and do I need it?
Double opt-in means that after someone submits their phone number, you send a confirmation text asking them to reply YES (or a similar keyword) to confirm. It's not required by federal law, but the CTIA strongly recommends it for marketing programs. The payoff is an extra layer of consent documentation and a check against fake or mistyped numbers. For any program texting at meaningful volume, double opt-in is worth the small drop in list size when some people don't confirm.
Can a small business face a TCPA class action, or is that only for big companies?
Small businesses are frequent TCPA targets precisely because they often lack documentation and settle quickly. Class actions turn on the number of texts sent without valid consent, not the size of the sender. A small operation that sent 5,000 texts to a list without proper consent can face a class of 5,000 members at $500 to $1,500 per text. Plaintiffs' attorneys work on contingency and hunt for cases where the math favors a quick settlement.
What are the TCPA rules for texting contacts in California specifically?
California follows federal TCPA standards, which already apply. On top of that, California's CPRA (effective January 1, 2023) treats phone numbers as personal data subject to access, deletion, and opt-out-of-sale rights. If a California resident asks you to delete their data, that includes their phone number, and you need to honor it across all systems. Some California privacy lawyers also argue certain SMS practices implicate the California Invasion of Privacy Act, though the TCPA is the more common litigation vehicle.
How does 10DLC registration relate to TCPA compliance?
10DLC registration is a carrier-level requirement separate from TCPA compliance, but the two reinforce each other. When you register a campaign with The Campaign Registry, you describe your consent collection method. Carriers use it to assess trust and set throughput limits. A false or poorly described consent disclosure in your registration can get your campaign suspended. Registering honestly forces you to articulate your opt-in process, which is a useful compliance exercise beyond the deliverability benefit.
What should the first text after opt-in include?
The first message should name your company, confirm the opt-in (so the user knows what they signed up for), state the message frequency (even approximately), note that message and data rates may apply, and include opt-out instructions (Reply STOP to cancel). Example: "Welcome to [Company] texts. You'll get up to 4 msgs/mo on [topic]. Msg&Data rates may apply. Reply STOP to cancel or HELP for help." This first message is also your best defense if consent is later disputed.
Are there any safe harbors or exemptions that let you skip the written consent requirement?
Two narrow ones. Established business relationship (EBR) is not a defense for marketing texts to cell phones; the FCC eliminated that exemption when it raised the consent standard in 2012. Emergency messages (imminent health or safety threats) are exempt. Purely transactional messages to someone who gave basic consent are held to a lower standard. Outside those carve-outs, prior express written consent is required for automated marketing texts to cell phones, full stop.
How often should I audit my opt-in forms for compliance?
Audit every time you change the form, every time your legal team flags a new regulatory development, and on a schedule at least quarterly. The audit should include: loading the form in a fresh browser session, verifying the checkbox is unchecked by default, confirming the disclosure language is present and visible, submitting a test entry, and checking that the confirmation text arrives with all required elements. Screenshot and date-stamp the form after every audit.
Sources
- FTC, Complying with the Telemarketing Sales Rule (business guidance): FTC DNC rules apply to text messages that constitute telemarketing; sellers must scrub lists against the registry no more than 31 days before contacting a number
- U.S. Code, 28 U.S.C. § 1658 (four-year statute of limitations for federal statutory claims): The general four-year statute of limitations under 28 U.S.C. § 1658 applies to TCPA claims, requiring consent records be kept for at least four years
- ActiveProspect, TrustedForm product documentation: TrustedForm generates independent, tamper-evident certificates documenting exactly what a user saw at opt-in, used as litigation defense in TCPA cases
- Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's FTSA provides a private right of action for automated text messages and has broader reach than federal TCPA in some respects; other states including Washington and Oklahoma have similar statutes
- California Privacy Protection Agency, California Privacy Rights Act (CPRA): California's CPRA treats phone numbers as personal data subject to access, deletion, and opt-out rights; effective January 1, 2023
- The Campaign Registry, 10DLC registration requirements: Since 2021, U.S. carriers require brand and campaign registration with The Campaign Registry for 10DLC business SMS, including disclosure of consent collection methods
- Reyes v. Lincoln Automotive Financial Services, 2nd Cir. 2017; Van Patten v. Vertical Fitness Group, 9th Cir. 2017 (federal case law on TCPA consent standards): Federal courts have found that pre-checked boxes and broad 'marketing partners' consent language fail the TCPA's 'clear and conspicuous' prior express written consent standard
- CFPB, Consumer Complaint Database (mortgage and financial services complaints): Mortgage and financial services are among the highest-complaint categories for unwanted marketing texts, drawing CFPB and FCC attention
- Telephone Consumer Protection Act, 47 U.S.C. § 227: Section 227(b)(1)(A) prohibits autodialed or prerecorded calls and texts to cell phones without prior express consent; statutory damages are $500 per negligent violation and up to $1,500 per willful violation
- FCC rules, 47 C.F.R. § 64.1200 (prior express written consent and revocation): 47 C.F.R. § 64.1200(f)(9) defines prior express written consent, requires clear and conspicuous disclosure, and FCC guidance permits revocation through any reasonable means