Last updated 2026-07-10

TL;DR
SMS opt-in best practices require written prior express consent before any marketing text, a clear disclosure at the point of opt-in, a working opt-out keyword (STOP), and a record you can produce in court. Get any of those four wrong and each text can cost $500 to $1,500 under 47 U.S.C. § 227. This guide walks through every requirement in plain terms.
What does SMS opt-in actually mean under TCPA?
SMS opt-in means a person gave you written permission to send marketing texts before the first one goes out. That permission has to be voluntary, clearly requested, and documented. No permission, no text. Simple as that.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, bars using an automatic telephone dialing system or an artificial or prerecorded voice to contact a cellular number without prior express consent. [1] The FCC extended that framework to text messages in 2003, treating an SMS the same as a call to a cell phone. [2]
Marketing texts get held to a higher bar. The FCC's 2012 TCPA Order requires "prior express written consent," which is stricter than the "prior express consent" needed for informational messages. [3] Written consent means the person takes an affirmative act to agree, and that act comes with a clear and conspicuous disclosure of what they're agreeing to. A pre-checked box does not qualify. Silence does not qualify. A business card someone handed you at a trade show does not qualify.
Here's the part that decides cases. If you cannot produce a timestamped record showing exactly when and how a person opted in, along with the disclosure they saw at that moment, you are exposed. Courts and the FCC do not give you the benefit of the doubt on consent documentation. The burden is yours.
For a broader look at how TCPA rules apply to your texting program, see our overview of tcpa sms compliance.
What has to be in an SMS opt-in disclosure?
A compliant SMS opt-in disclosure names the sender, tells the person they'll get recurring automated marketing texts, states that consent isn't a condition of purchase, gives the STOP and HELP commands, and warns that message and data rates may apply. Skip any of those and the consent you collected is legally shaky.
The FCC and the CTIA Messaging Principles (the wireless industry's self-regulatory guidelines) both spell out these elements. [4] A compliant disclosure states:
1. The name of the business or program sending the messages. 2. That the person will receive recurring automated marketing text messages (or the specific frequency if it's fixed). 3. That consent is not a condition of purchasing any good or service. This one is in the statute itself. 4. The opt-out method, typically "Reply STOP to unsubscribe." 5. The help command, typically "Reply HELP for help." 6. That message and data rates may apply.
The CTIA guidelines say the disclosure should appear close to the mechanism used to collect the mobile number. [4] If you're collecting the number in a web form, all six elements go right there on the form. Not buried in a terms-of-service link three clicks away.
Keep the language plain. "By entering your number, you agree to receive automated marketing texts from Acme Co. at the number provided. Consent is not required to purchase. Reply STOP to opt out, HELP for help. Msg & data rates may apply. Msg frequency varies." That covers it. You do not need a legal brief.
For ready-to-use form structures, the sms opt-in form guide has annotated templates showing each disclosure element in context.
What are the main SMS opt-in methods and which is safest?
Five collection methods dominate, and they don't carry equal risk. Keyword opt-in via short code gives you the cleanest audit trail. Third-party lead consent gives you the biggest headache.
| Method | How it works | Risk level | Key requirement |
|---|---|---|---|
| Web form | Person enters number on a website | Low if done right | Disclosure must appear on the same page, no pre-checked boxes |
| Keyword opt-in | Person texts a keyword (JOIN, YES) to a short code | Low | Auto-reply must confirm program name, frequency, rates, STOP/HELP |
| Paper form | Person writes number on a physical form | Medium | You must retain the original or a scan with the disclosure visible |
| Verbal opt-in | Agent reads disclosure, person agrees by voice | High | You must record or log the exact disclosure read and the response |
| Lead gen / third-party | Vendor collects consent on your behalf | High | Consent must name your company specifically; blanket "partners" language is legally contested |
Keyword opt-in wins on audit trail because the carrier logs the inbound message and your platform logs the confirmation reply. Two independent records. Web forms with server-side timestamp logging come a close second.
Verbal opt-in carries the most operational risk. It depends on your agents reading the disclosure correctly every single time, and you have to store those recordings long enough to defend a lawsuit. TCPA has a four-year statute of limitations under 28 U.S.C. § 1658. [5]
Third-party lead consent is where the biggest class-action exposure lives right now. The FCC's one-to-one consent rule, adopted in December 2023, requires that each marketing text sender be individually named on the consent form. That ends the practice of a single "I agree to be contacted by our partners" checkbox covering dozens of companies. [6] If you buy leads, verify that the consent form named you specifically.
Should you use double opt-in for SMS?
Double opt-in means sending a confirmation text after someone signs up and requiring them to reply YES before you start marketing to them. TCPA doesn't require it. It's still worth doing for most promotional lists, and here's why.
It creates a second timestamped record. A carrier log showing an inbound YES reply from a specific number at a specific time is much harder to dispute than a server log alone. It also filters out typos and numbers entered by someone other than the actual owner, which cuts down wrong-party complaints.
The cost is list size. Double opt-in typically trims confirmation rates by 15 to 30 percent depending on the channel and audience, based on general observation across SMS platform providers. Nobody has published a peer-reviewed study on that specific figure, so treat it as a directional estimate, not gospel.
My honest take: for any list you plan to blast promotional offers to at scale, double opt-in earns its shrinkage. For transactional or appointment-reminder programs where volume is low and the relationship is already established, it's probably overhead you don't need.
The sms double opt-in guide covers confirmation message copy and how to handle non-responders without tripping TCPA.
How do you handle opt-out requests correctly?
TCPA requires you to honor opt-out requests promptly. The FCC reads that to mean a reasonable time, and the CTIA guidelines say opt-out processing should happen within 24 hours of receiving a STOP request. [4] In practice, your platform should suppress the number instantly.
Honor these keywords: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT. Suppress those numbers immediately and send one confirmation message. That single confirmation reply is legally permitted even after an opt-out. [7] Send nothing else.
Here's what teams get wrong.
Transferring lists between systems without transferring the suppression list. If someone opted out of your SMS list in January and you import a refreshed list in March that includes them again, you've violated TCPA. One text. $500 minimum.
Assuming an opt-out crosses channels. Opt-out under TCPA is channel-specific, so an SMS opt-out doesn't automatically cancel an email subscription. Even so, giving people a single global opt-out when your programs overlap is good practice and good manners.
Missing the synonyms. If someone replies "stop texting me" instead of the keyword STOP, that is an opt-out request. Your agents and your platform need a process for natural-language opt-outs that fall outside the automated keyword handler.
Store opt-out records indefinitely, or at minimum for six years to cover your longest realistic legal exposure window.
What records do you need to keep to defend a TCPA claim?
If you get sued or hit with an FCC complaint, you need to produce specific documentation. "We always get consent" is not a defense. The paper trail is the defense.
For each opt-in, retain:
- The exact text of the disclosure the person saw at the time they opted in, plus the date that version went live.
- A timestamp of when the opt-in was submitted (server-side, not browser-side).
- The IP address for web form submissions.
- The source (which page, which campaign, which keyword).
- For keyword opt-ins, the carrier message log showing the inbound text and outbound confirmation.
- For third-party leads, the vendor's actual consent record, more than your receipt of the lead.
TCPA class actions often turn on consent documentation. In Brinker v. Normandin's (N.D. Cal. 2016), a class got certified partly because the defendant couldn't produce consistent opt-in records for the members who claimed they never consented. [8] When you can't prove consent, the presumption tilts against you.
The four-year statute of limitations under 28 U.S.C. § 1658 means someone can sue you in 2029 for a text you sent in 2025. [5] Your records have to outlast that window. A six-year retention policy is the practical safe harbor most compliance teams settle on.
LeadCompliant's free compliance kit includes a consent record template and a retention policy checklist you can adapt to your current stack without hiring a consultant.
Do state laws add requirements on top of TCPA?
Yes, and a few of them are meaningfully stricter than the federal floor.
Florida's Telephone Solicitation Act (FTSA), amended in 2021, created a private right of action for violations of Florida's telemarketing rules with damages of $500 per call or text. [9] Florida courts first read the FTSA to reach any automated text, more than those sent with an ATDS, which made it briefly broader than TCPA. A 2023 amendment tightened the definition, but Florida is still a high-litigation state for SMS.
California's CCPA and CPRA add consent and data-rights obligations on top of TCPA if you're texting California residents. Consumers can opt out of the "sale" or "sharing" of their personal data, which can include phone numbers passed to marketing partners. [10]
Washington, Oklahoma, and other states run their own telephone solicitation statutes with their own consent and disclosure quirks. No single article keeps up with all of them in real time. The workable approach is to apply TCPA's written-consent standard everywhere. It's strict enough that meeting it usually clears state-level rules too. Then subscribe to a reliable update feed for state developments.
For the latest state-level and federal changes, the lead generation compliance news feed tracks rule changes as they land.
How should your opt-in process work for lead generation and third-party data?
Buying leads and texting them is the highest-risk activity in outbound SMS. Most TCPA class actions filed in the last five years involve someone texted by a company they never heard of, based on consent given to a different company on a different form. [6]
The FCC's one-to-one consent rule, adopted in December 2023 and effective January 27, 2025, targets exactly this. The rule says a consumer's written consent to receive marketing calls or texts may not carry over to a different seller unless the consumer separately consented to that seller by name. [6] The "I agree to be contacted by up to 25 marketing partners" checkbox is dead, at least under federal rules.
If you work with lead generators, do three things.
Get a copy of the actual consent form the consumer filled out, including the disclosure language. Not the lead. The form.
Confirm your company's name, or a descriptor specific enough to identify you, appears on that form.
Check how old the lead is. Consent is not eternal. FTC guidance and general TCPA case law suggest consent goes stale over time, especially after a long gap with no contact. Eighteen months is a commonly cited threshold in compliance circles, though TCPA doesn't codify a precise number.
Can't get the consent documentation from your lead vendor? Stop using that vendor. That's not a hedge. Given the current litigation climate, it's the only reasonable answer.
For teams running real estate text message marketing programs, this third-party consent issue bites especially hard, because the industry has leaned on list purchases for years.
What are the biggest mistakes outbound teams make with SMS opt-in?
After watching enforcement actions and reading class-action complaints, the same mistakes surface again and again.
Treating a number as consent. Someone gave you their number to schedule an appointment or get a quote. That does not mean they agreed to marketing texts. TCPA draws a hard line between transactional and marketing communications.
Copying opt-in language from a competitor's website. This happens constantly. The other company's disclosure might be deficient, outdated, or written for a different program. Write your own, or have a TCPA attorney review it.
Not updating disclosures when the program changes. If you collected consent for "up to 4 messages per month" and now you're sending 12, the original consent doesn't cover that. Re-acquire consent with updated disclosures.
Letting opt-outs strand on one platform. If someone opted out of your Twilio campaign, that opt-out needs to reach your Salesforce suppression list and every other platform touching that number.
Sending a marketing pitch as the first message in a keyword flow. The first reply to a keyword opt-in should be the confirmation and disclosure, not a promotion. Some platforms default to promotional content in that first reply. Check your settings.
For teams weighing platforms, the text message marketing software guide reviews which ones handle opt-out propagation and disclosure management well and which don't.
What does a compliant SMS opt-in flow look like end to end?
A defensible opt-in process runs from first contact to first marketing message in seven steps. Each step leaves a record. That's the point.
Step 1. Collect the number. Through a web form, keyword, or voice, the person takes an affirmative action. No pre-filled fields, no pre-checked boxes.
Step 2. Show or deliver the disclosure. All six required elements are visible at the moment of opt-in. For web forms, that means the disclosure sits on the same screen as the number field, not behind a link. For keyword flows, the confirmation reply carries the disclosure.
Step 3. Record the opt-in. Log the timestamp, source, IP (for web), disclosure version, and number in your CRM or SMS platform. Back it up.
Step 4. Send the confirmation message (for keyword or double opt-in flows). Something like: "You're subscribed to Acme Co. alerts. Msg & data rates may apply. Reply STOP to unsubscribe, HELP for help. Up to 8 msgs/month."
Step 5. Scrub against DNC lists. Check the national DNC registry and any state DNC lists before the first marketing send. SMS to cell phones is generally handled separately from voice DNC rules, but the check costs nothing and removes one more exposure.
Step 6. Send only what you disclosed. If you said "promotional offers," send promotional offers. Don't swing to a different program type without re-acquiring consent.
Step 7. Honor opt-outs in real time. Configure your platform to suppress STOP keywords instantly and archive the opt-out record.
For teams building this flow from scratch, the sms opt in guide walks through platform configuration and CRM integration in more depth.
How much does a TCPA violation actually cost, and is the risk real?
TCPA penalties are $500 per violation for negligent violations and $1,500 per violation for willful violations. [1] Each text to each number is its own violation. One campaign to 10,000 unconsented numbers is $5 million in potential liability before any treble damages.
Class actions are the main threat. TCPA class settlements have run into the billions over the past decade. The larger individual settlements include $76 million against Capital One in 2015, $34 million against DirecTV, and $31 million against JPMorgan Chase. [8] Those are big companies, but plaintiff firms hunt mid-market and small businesses too, because smaller shops are less likely to have airtight documentation and more likely to settle fast.
TCPA filings bounce around but stay in the thousands per year. The WebRecon index, which tracks consumer law filings, logged more than 1,200 TCPA cases filed in federal court in 2023. [11] That number undercounts total exposure, because many cases settle before or during discovery without a public docket.
The risk is real. A single annoyed recipient who texts STOP and keeps getting messages, or who says they never opted in, can become a class representative. At that point your consent records either save you or bury you.
For recent enforcement trends and what the FCC is prioritizing, check tcpa news today.
How do you evaluate whether your current SMS opt-in process is compliant?
Run your current program against this checklist. Any answer that's "no" or "I'm not sure" is a gap to fix before your next send.
Consent collection
- Does every opt-in method require an affirmative act by the consumer?
- Is the disclosure language present at the point of collection (same screen, same page, same reply)?
- Does the disclosure include all six required elements?
- Are pre-checked boxes completely absent from your forms?
Documentation
- Do you log timestamp, IP, source page, and disclosure version for every opt-in?
- Can you retrieve any individual's consent record within 48 hours if challenged?
- Do you retain records for at least four years (ideally six)?
Opt-out handling
- Does your platform honor STOP, CANCEL, UNSUBSCRIBE, END, and QUIT automatically?
- Do opt-outs propagate to every system that touches that number?
- Are opt-out records archived separately from active lists?
Third-party leads
- Does every lead you purchase come with verifiable consent documentation naming your company specifically?
- Do you avoid leads older than 18 months without re-validation?
Program scope
- Are you sending only the type and frequency of messages you disclosed?
- Have you re-acquired consent for any program changes made after the original opt-in?
If you want a structured version of this checklist with documentation templates, LeadCompliant offers a free compliance kit at leadcompliant.com you can download and adapt for your team's program.
For teams running a marketing text message service, run this evaluation quarterly, more than at launch.
Frequently asked questions
Do I need written opt-in for all SMS messages or just marketing texts?
Only marketing (promotional) texts require prior express written consent under the FCC's 2012 TCPA Order. Purely informational or transactional texts, like appointment reminders or order confirmations, require prior express consent, which can be implied from an existing relationship. The line between "informational" and "marketing" is narrower than most teams think: any message that promotes a product, service, or future purchase is likely marketing.
Can I text someone who gave me their number on a paper form or business card?
Not for marketing without a documented opt-in that includes the required disclosures. A number on a business card or a paper sign-in sheet is not prior express written consent under TCPA. You need a signed form (physical or electronic) with disclosure language authorizing marketing texts. If the paper form you collected didn't have that disclosure, re-acquire consent before you market to them.
What is the FCC's one-to-one consent rule and how does it affect lead buying?
The FCC's December 2023 order, effective January 27, 2025, requires each seller to be individually named in the consumer's written consent. A single checkbox consenting to contact from "marketing partners" no longer satisfies TCPA for any of those partners. If you buy leads, you need documentation showing your company's name appeared on the consent form the consumer actually signed or submitted.
How long do I have to keep SMS opt-in records?
TCPA's statute of limitations under 28 U.S.C. § 1658 is four years. Most compliance teams keep records for six years to buffer against cases where discovery doesn't start until late in the limitations period. Store the timestamp, source, IP address, disclosure version, and the number itself. Deleting records early is one of the fastest ways to turn a defensible case into a bad settlement.
Is a pre-checked opt-in box on a web form valid consent for SMS?
No. The FCC's 2012 TCPA Order and the E-SIGN Act require an affirmative act by the consumer. A pre-checked box is not an affirmative act, because the consumer did nothing to express agreement. Courts have consistently found pre-checked boxes insufficient for TCPA written consent. Remove them from every form in your stack and require the person to actively check or click to agree.
What happens if someone texts STOP and I accidentally send another message?
That follow-up text is a TCPA violation at $500 to $1,500 per message. If it's systemic, meaning multiple opted-out numbers get more texts because of a platform misconfiguration or a list merge, you have the makings of a class action. The most common cause is importing a refreshed lead list without checking it against your suppression file first. Always scrub incoming lists against your opt-out archive before any send.
Does double opt-in eliminate TCPA liability?
It reduces liability sharply but doesn't erase it. Double opt-in creates a second timestamped record that's very hard for a plaintiff to dispute. But if your initial disclosure is deficient, if you send message types you didn't disclose, or if your opt-out handling fails, you still have exposure. Treat double opt-in as strong evidence of consent, not a complete legal shield.
Can I text existing customers without a new opt-in?
For transactional messages tied directly to what they bought, an established business relationship may supply implied consent. For marketing messages promoting new products, upsells, or offers, you need prior express written consent regardless of the relationship. The FCC's rules give no blanket existing-customer exemption for promotional texts. When in doubt, collect a fresh opt-in with proper disclosure.
What is the CTIA and why do their guidelines matter for SMS compliance?
The CTIA is the wireless industry's trade association. Carriers like AT&T, Verizon, and T-Mobile require compliance with CTIA Messaging Principles as a condition of using their networks for application-to-person (A2P) SMS. Break the CTIA guidelines and you can get your short code or 10DLC number deregistered, which shuts down your texting program. CTIA guidelines overlap heavily with TCPA but add specifics on disclosure content, opt-out keywords, and frequency transparency.
Do B2B text messages have different opt-in rules?
TCPA covers calls and texts to cell phones regardless of whether the recipient is a consumer or a business professional. The business-to-business exemption people cite is mostly a myth for SMS. If you're texting a person's cell phone, even for a business purpose, TCPA applies. Some courts have shown slightly more flexibility in B2B contexts, but there's no codified exemption. Collect proper consent for B2B SMS programs just as you would for consumer campaigns.
How specific does my message frequency disclosure have to be?
You don't have to state an exact number if frequency varies, but you must give a reasonable description. "Up to 4 msgs/month" or "Msg frequency varies" are both widely accepted. Saying nothing about frequency is a gap. If you later send far more messages than a stated maximum, the original consent arguably doesn't cover the excess. Either disclose a range that matches your actual sending pattern, or use "frequency varies."
What's the difference between a short code and a 10DLC number for compliance purposes?
Both require TCPA-compliant consent. The consent rules are the same regardless of sending number type. The difference is registration: 10DLC (10-digit long codes) require brand and campaign registration through The Campaign Registry, and carriers can reject messages from unregistered numbers. Short codes go through a separate carrier approval process. Neither registration substitutes for getting proper opt-in consent from recipients.
Can I use an online form consent for both email and SMS in a single checkbox?
Generally no, not safely. Email consent (under CAN-SPAM) and SMS consent (under TCPA) run on different legal standards. A single checkbox saying "I agree to receive emails and texts" may not clearly convey that automated marketing texts are included. Separate opt-in mechanisms for email and SMS, with the TCPA-required disclosure on the SMS opt-in, is the defensible approach. Bundling them into one field creates ambiguity you'll have to defend in litigation.
How do Florida's SMS rules differ from federal TCPA?
Florida's Telephone Solicitation Act (FTSA), as amended in 2021 and 2023, creates a private right of action under state law with $500 per-text damages. Florida courts debated whether the FTSA reached texts sent without a federally defined ATDS, which briefly made it broader than TCPA. The 2023 amendments narrowed the definition, but Florida stays an active litigation state. Apply TCPA's strictest standards and you'll generally satisfy FTSA, but consult a Florida-licensed attorney for high-volume programs targeting Florida numbers.
Sources
- U.S. Code, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits using an ATDS to contact a cellular number without prior express consent; violations carry $500 per violation, up to $1,500 for willful violations
- CTIA, Messaging Principles and Best Practices (2023): CTIA guidelines require opt-in disclosure to appear near the number collection mechanism and specify STOP/HELP keyword requirements and 24-hour opt-out processing
- U.S. Code, 28 U.S.C. § 1658 (Statute of Limitations for Federal Civil Claims): Federal civil claims, including TCPA claims, carry a four-year statute of limitations
- National Consumer Law Center: Major TCPA class action settlements include $76 million against Capital One, $34 million against DirecTV, and $31 million against JPMorgan Chase; consent documentation gaps contributed to class certification in multiple cases including Brinker v. Normandin's
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA as amended in 2021 and 2023 creates a private right of action for violations with $500 per-text damages under state law
- California Attorney General, California Consumer Privacy Act (CCPA): California CCPA/CPRA grants consumers the right to opt out of the sale or sharing of personal data including phone numbers, adding requirements on top of TCPA for California-resident contacts
- WebRecon LLC, Consumer Law Index and TCPA Case Filing Statistics 2023: WebRecon tracked over 1,200 TCPA cases filed in federal court in 2023, indicating continued high litigation volume
- FTC, CAN-SPAM Act Compliance Guide for Business: CAN-SPAM governs commercial email with different standards than TCPA, supporting the need for separate consent mechanisms for email versus SMS