Last updated 2026-07-11

TL;DR
Under the TCPA (47 U.S.C. § 227), sending marketing text messages to a cell phone requires prior express written consent. That means a signed agreement, paper or electronic, that clearly authorizes autodialed or prerecorded marketing texts. Missing or defective consent is the single most common trigger for TCPA class actions, with statutory damages of $500 to $1,500 per message.
What does the TCPA actually require for SMS marketing consent?
The short answer: before you send a single marketing text to a consumer's cell phone using an autodialer or prerecorded message, you need their prior express written consent. Not a verbal OK. Not a checked box during checkout that buried the authorization in fine print. Written consent, defined by FCC regulation.
The statute itself, 47 U.S.C. § 227(b)(1)(A), prohibits using an automatic telephone dialing system or prerecorded voice to call any cellular telephone number without the prior express consent of the called party [1]. The FCC's 2012 order tightened that language specifically for telemarketing calls and texts, upgrading the consent requirement from "express consent" to "prior express written consent" for any communication that includes a marketing purpose [2].
The FCC defined prior express written consent in 47 C.F.R. § 64.1200(f)(9) as "an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice" [2]. An electronic signature counts under the E-SIGN Act, which is good news for web forms and text-to-join flows. But the substance of what the person agrees to still has to be there.
A lot of teams get tripped up on the word "marketing." Transactional texts, things like order confirmations, appointment reminders, and two-factor authentication codes, require only "prior express consent," a lower bar that can be implied from giving you a phone number in a relevant context. The moment your text has any advertising or promotional element, you need the full written consent standard. Courts have not been forgiving about mixed-purpose messages that sneak a promotional line into an otherwise transactional message.
What exactly must a valid TCPA written consent opt-in include?
Four things have to be present, all of them, for the consent to hold up. Miss any one and you are essentially texting without consent.
First, the consumer must affirmatively agree, more than fail to opt out. Pre-checked boxes don't work. Buried terms don't work. The agreement has to be an active choice [2].
Second, the authorization must be clear about who is doing the texting. The FCC's January 2025 one-to-one consent rule (effective January 27, 2025) requires that consent name the specific seller, not a category of sellers or a network of marketing partners [3]. If your lead gen vendor collects consent on behalf of a hundred different businesses, that consent does not cover you unless your company is individually named and the consumer agreed specifically to hear from you.
Third, the consent must say that the contact will use an autodialer or prerecorded messages. Consumers have to know they are agreeing to automated outreach, more than general marketing contact.
Fourth, the agreement must include the phone number being authorized. This is sometimes overlooked on web forms where the number is collected separately from the consent checkbox.
The FCC also requires that your opt-in language state that consent is not a condition of purchase [2]. If you gate a sale behind the text-marketing checkbox, you have voided the consent.
Here is what a compliant opt-in disclosure looks like in plain terms: "By providing your phone number and checking this box, you agree to receive autodialed marketing text messages from [Company Name] at the number provided. Consent is not a condition of any purchase. Message and data rates may apply. Reply STOP to cancel."
That language is not magic. What matters is that each required element is present, legible, and tied to the specific number and the specific company.
What changed with the FCC's 2024 one-to-one consent rule?
This is the biggest shift in TCPA consent practice in over a decade, and a lot of teams running lead-gen funnels are not ready for it.
In December 2023, the FCC released a Report and Order (FCC 23-107) that closed what it called the "lead generator loophole" [3]. Before this rule, a consumer could sign a single consent form on a comparison-shopping site and inadvertently authorize dozens of companies to contact them. That consent was considered "prior express written consent" even though the consumer had no idea which companies would be calling or texting.
Under the new rule, consent must be granted on a one-to-one basis: one consent form, one seller named specifically. The FCC's own language from the order states that the consent must be "logically and topically associated" with the website where it is collected and must identify the specific entity that will contact the consumer [3].
The practical effect is significant. If you buy leads from a third-party vendor, you cannot rely on whatever blanket consent that vendor collected. You either need to be named in that consent at the moment it was collected, or you need to collect your own consent independently.
For teams with affiliate or lead-gen traffic, this means auditing every upstream source now. The rule took effect January 27, 2025. Courts and the FCC have already started applying it in enforcement contexts, and plaintiff attorneys are aware of it.
For a broader look at how these changes fit into the current regulatory environment, see TCPA 2025: what changed, what it costs, and how to stay compliant.
Does an existing business relationship replace the need for written consent?
No. Not for marketing texts.
This is one of the most persistent misconceptions in outbound sales. Yes, there is an established business relationship (EBR) concept in TCPA and FTC telemarketing rules. But the EBR exception applies to the National Do Not Call Registry in the context of voice calls, not to the prior express written consent requirement for autodialed marketing texts to cell phones [4].
If someone bought from you last year and gave you their cell phone number during checkout, that does not give you permission to send them promotional SMS blasts via an autodialer. You still need written consent. The only thing the existing relationship might affect is whether certain transactional or informational texts are permissible without written consent, and even that is a narrow read.
Some businesses assume that because a customer gave them a phone number voluntarily, consent is implied. Courts have generally rejected implied consent for marketing texts. In the 2009 Ninth Circuit case Satterfield v. Simon & Schuster, the court found that providing a phone number for one purpose does not imply consent for a different and unrelated marketing use [5].
See TCPA existing business relationship: what actually protects you for a fuller breakdown of where EBR actually helps you and where it leaves you exposed.
How much can you be sued for per text message?
The TCPA's statutory damages are $500 per violation, meaning per message, for negligent violations [1]. If the court finds the violation was knowing or willful, that triples to $1,500 per message [1]. There is no cap per plaintiff, and the TCPA is a strict liability statute, so good intentions do not reduce the damages.
The class action math gets brutal fast. A company that sent 100,000 texts without valid consent faces potential statutory damages of $50 million at $500 per message, $150 million if a court finds willfulness. These are not theoretical numbers.
The Albertsons/Safeway TCPA settlement is a real example of what happens at scale. See the Albertsons Safeway TCPA settlement breakdown for how a retail chain's text marketing program turned into significant class-wide liability. UnitedHealthcare gives another reference point: the company agreed to pay $2.5 million over alleged TCPA violations, a case covered in detail at UnitedHealthcare to pay $2.5M for alleged TCPA violations.
Small businesses are not immune. Plaintiff attorneys file TCPA cases against companies of all sizes because the fee-shifting and statutory damages structure makes even small cases worth pursuing. A solo entrepreneur sending marketing texts through a mass-texting platform is just as exposed as a Fortune 500 company if the consent is defective.
| Violation type | Statutory damages per text | Notes |
|---|---|---|
| Standard (negligent) | $500 | Strict liability, no intent required |
| Knowing or willful | $1,500 | Court's discretion to treble |
| Class action exposure | $500, $1,500 × message count | No statutory cap per plaintiff |
| State law (some states) | Additional or higher | CA, FL, TX, WA add penalties |
What counts as an autodialer for SMS marketing purposes?
The autodialer definition matters because TCPA's prior express written consent requirement for cell phones is tied to use of an "automatic telephone dialing system" (ATDS) [1]. If your platform isn't an ATDS, the written consent standard may not apply (though state laws may pick up the slack).
The Supreme Court clarified this in Facebook, Inc. v. Duguid (2021), holding that an ATDS must have the capacity to produce telephone numbers using a random or sequential number generator, more than the ability to dial from a stored list automatically [6]. That ruling narrowed the definition somewhat from how some lower courts had read it.
In practice, most mass-texting platforms used for marketing campaigns, even the ones that dial from a contact list rather than generating numbers randomly, still carry ATDS risk in many contexts. And the FCC has signaled that it reads "capacity" broadly. The safest operational position is to treat your SMS marketing platform as an ATDS and require written consent regardless, because:
First, proving your platform is not an ATDS is expensive litigation, not a quick win. Second, many state laws (Florida's FTSA being the most aggressive) have broader definitions that don't rely on the ATDS concept at all. Third, if you have written consent, the ATDS question becomes irrelevant.
See the broader TCPA law explainer for more on the ATDS definition and how courts are applying Duguid in 2025.
How do you set up a compliant SMS opt-in in practice?
There are a few common opt-in methods, and they differ in how well they hold up under scrutiny.
Web form opt-in is the most common and, done right, the most defensible. The consent language must be visible near the phone number field and the submit button, not buried in a link to terms of service. The checkbox must be unchecked by default. You need to log the timestamp, IP address, form URL, and the exact language shown at the time of consent. That audit trail is your defense in litigation.
Text-to-join (keyword opt-in) works well for event signups and in-store promotions. A person texts a keyword like JOIN to your short code, and you respond with a confirmation message that restates what they are signing up for and offers an immediate opt-out path. That confirmation message becomes your written record. Keep your MO (mobile-originated) log.
Paper forms still work for in-person settings like trade shows or retail. They need the same disclosure language as web forms. You will want to scan or photograph the signed form and store it with a date stamp.
Checklist for any opt-in method:
- Company name explicitly stated
- ATDS/autodialed language disclosed
- "Consent is not a condition of purchase" stated
- Phone number captured as part of the agreement
- Opt-out instructions provided (STOP/HELP)
- Message frequency disclosed or approximated
- "Message and data rates may apply" stated
- Timestamp and form version logged
LeadCompliant's free consent language checker and TCPA compliance kit can run your current opt-in copy against these requirements in minutes, which beats guessing.
One thing that does not work: importing a list from a CRM and assuming consent was collected somewhere. If you cannot produce the specific consent record for a specific number, you do not have consent for that number.
What happens when consumers opt out, and what do you have to do?
Once someone texts STOP, that is an opt-out. Full stop, no exceptions.
The TCPA does not specify exactly which opt-out keywords you must honor, but FCC guidance and industry standards (the CTIA Messaging Principles) require honoring STOP, QUIT, CANCEL, UNSUBSCRIBE, and END [7]. Many platforms handle this automatically, but you need to verify your platform does it reliably and that the opt-out is applied across your entire database for that number, more than one campaign.
An opt-out must be processed immediately, or as close to immediately as technically possible. Sending even one more marketing message after a STOP request is a separate TCPA violation with its own $500 to $1,500 in damages.
You should send a single confirmation text after a STOP request, something like "You've been unsubscribed from [Company] texts. You will receive no further messages." That confirmation is allowed under FCC guidance even after an opt-out. Nothing else goes after it.
Re-consent is possible but requires the consumer to affirmatively restart the opt-in process themselves. You cannot send an "are you sure you want to opt out?" follow-up text. You cannot call them to ask.
Store your opt-out records indefinitely. Telephone numbers get recycled and reassigned. If you texted someone in 2022, they opted out, and that number is now assigned to a different person in 2025, your opt-out record protects you from sending to the old subscriber but you need a separate process to catch reassigned numbers before you add them to new campaigns.
Can B2B SMS marketing skip the written consent requirement?
Partially, and with real nuance.
The TCPA's written consent requirement covers calls and texts to cellular telephone numbers. Business phones that happen to be cell phones are still cell phones under the law. If you are texting a salesperson at their personal cell, you need consent. If the number belongs to a business and is answered by employees on behalf of the business, some courts have found that the cellular phone provisions apply differently, but this is not a settled area of law.
The cleaner way to think about B2B SMS: if you are texting a mobile number that a human being gave you as their personal work phone, assume you need consent and get it. The TCPA B2B exemption as commonly discussed relates mostly to autodialed calls to business landlines, not to personal cell phones used for work.
The FCC has not created a blanket B2B carve-out from the prior express written consent requirement for marketing texts to cell phones. Some practitioners argue that implied consent can arise from a business exchange of contact information, but that argument has lost more cases than it has won at the district court level.
For a deeper look at where B2B exemptions actually apply, see TCPA B2B exemption for AI calls: what businesses actually get.
What are the biggest consent mistakes that lead to TCPA lawsuits?
Looking at the pattern of cases, a few errors come up over and over.
Buying a list and assuming consent transfers. It doesn't. Consent is non-transferable in the FCC's framework [2]. The entity that collected the consent is the entity authorized to use it.
Using a pre-checked opt-in box. Courts have been unanimous: a pre-checked box is not affirmative agreement and does not establish prior express written consent.
Not documenting what the opt-in form said at the time of collection. If you update your website and overwrite the old consent language, you lose the ability to prove what a 2023 subscriber agreed to. Version your forms and log which version was shown.
Relying on verbal consent for marketing texts. The word "written" in "prior express written consent" means exactly that. A recorded phone call where someone says "sure, text me deals" is not sufficient for ATDS marketing texts.
Not auditing lead vendor consent. This is where the 2025 one-to-one consent rule bites hardest. If your marketing funnel uses any third-party leads, you need signed contracts with those vendors specifying exactly how consent is collected and requiring that your company be named.
Sending marketing texts outside allowed hours. The TCPA (and FCC regulations at 47 C.F.R. § 64.1200) limits automated calls and texts to between 8 a.m. and 9 p.m. local time of the recipient [8]. This is a separate violation even if the consent is otherwise valid.
For context on how class actions grow out of these mistakes, the Cash App TCPA class action settlement and Truist Bank TCPA class action settlement are instructive examples of how institutional programs built on defective consent structures become class-wide liability.
How do state laws layer on top of TCPA written consent requirements?
The TCPA sets a federal floor, not a ceiling. Several states have their own texting and telemarketing laws that are stricter.
Florida's Telephone Solicitation Act (FTSA), amended in 2021, applies to any "automated system" for selecting or dialing numbers, a definition broader than the TCPA's post-Duguid ATDS standard [9]. Florida also allows a private right of action with $500 per call/text in damages, similar to TCPA. Florida plaintiffs' attorneys have filed hundreds of FTSA cases since 2021.
California's consumer privacy framework (CCPA/CPRA) intersects with SMS marketing because phone numbers collected for marketing are personal information subject to disclosure and opt-out rights, separate from TCPA consent [10].
Washington State's Commercial Electronic Mail Act (CEMA) and its updates cover some text message scenarios. Texas, Oklahoma, and several other states have mini-TCPA statutes.
The practical upshot: your TCPA-compliant consent process needs review against the specific state laws of the states where your consumers live, more than federal rules alone. If you market nationally, Florida and California are not optional additions to your compliance analysis.
For a broader look at how state laws interact with federal TCPA rules, see TCPA guidelines: what every outbound team must know in 2025.
How long do you need to keep consent records?
The TCPA does not specify a record-retention period for consent records, which creates its own problem: lawsuits can be filed up to four years after the alleged violation under 28 U.S.C. § 1658, the general federal civil statute of limitations [11]. Some state TCPA analogs have different periods.
The practical answer is keep consent records for at least five years from the last contact with that number. Keep opt-out records indefinitely because number reassignment creates ongoing risk.
What you need to retain: the signed agreement or electronic equivalent, the timestamp and IP address for electronic consents, the form URL and exact text of the disclosure shown, the phone number and any associated email or name, and the opt-out timestamp if they later unsubscribed.
Cloud storage is fine. What matters is that records are retrievable, not archived in a format you can no longer read. If a plaintiff's attorney sends a litigation hold letter, you need to pull the consent record for any specific phone number within a day or two.
Some texting platforms automatically log opt-ins. Check whether your platform's logs meet the specificity requirements above. Many log that an opt-in occurred but not what the disclosure language said. That gap is a problem.
Where can you get tools to check your SMS opt-in compliance?
A few categories of tools actually help here.
Consent language validators check whether your current opt-in copy contains all required elements. LeadCompliant offers a free version of this at leadcompliant.com, including a downloadable compliance kit with template opt-in language that meets FCC requirements and notes the one-to-one consent rule.
DNC and reassigned number databases help catch numbers that should not be texted at all. The FCC's Reassigned Numbers Database (RND) is the authoritative source for identifying numbers reassigned to new subscribers [12]. Checking the RND before texting is not legally required, but courts have noted it as evidence of good-faith compliance effort.
Text messaging platforms with built-in compliance features, like handling STOP keywords automatically, logging opt-ins with timestamps, and enforcing time-of-day restrictions, reduce operational risk. These tools do not make your consent valid, but they prevent a lot of the mechanical errors that create additional violations.
For context on what a compliant text messaging program looks like operationally, the text message marketing and text messaging marketing guides on LeadCompliant go deeper on program structure.
None of this is a substitute for legal advice on your specific program. If you are running any volume of text marketing, a one-time review with a TCPA-experienced attorney is cheaper than the cheapest class action settlement. See telemarketing rules news: what changed and what's coming in 2025-2026 for the current regulatory landscape you would be asking them to help you sort through.
Frequently asked questions
Does TCPA written consent apply to text messages or just phone calls?
Both. The TCPA's prior express written consent requirement covers any telemarketing contact made using an ATDS or prerecorded message to a cellular telephone number, and the FCC has confirmed that text messages sent via an ATDS qualify as "calls" under 47 U.S.C. § 227. The same written consent standard that applies to autodialed marketing calls applies to autodialed marketing texts.
Is a double opt-in required for TCPA SMS consent?
The FCC does not require double opt-in. Single opt-in (one affirmative action with proper disclosure) is sufficient for TCPA compliance. That said, double opt-in creates a stronger evidentiary record because the reply confirms the consumer received the disclosure and still agreed. Many attorneys and compliance teams recommend it precisely because it generates a second logged confirmation.
Can I send one-time promotional texts without written consent?
No. Under TCPA, the number of texts is irrelevant. One marketing text sent via an ATDS without prior express written consent is one TCPA violation. The $500 per-message damage structure means a single text can anchor a lawsuit. The only exception is if the text is purely transactional, with zero promotional content.
Does consent obtained before the FCC's 2025 one-to-one rule still count?
Consent that was properly obtained under the prior rules and met all other requirements (written, affirmative, ATDS language, named seller) is generally still valid for that seller. The one-to-one rule applies to consent collected through lead generators or comparison sites where multiple sellers were bundled. If your pre-2025 consent named your company specifically, it should still hold. If it didn't, you need new consent.
What is the difference between express consent and prior express written consent?
Express consent covers informational or transactional calls and texts. Prior express written consent is required specifically for marketing or advertising messages. The word "written" adds the signed agreement requirement. The word "prior" means the consent must be in place before the first message is sent, not collected concurrently or after.
Can I text someone who gave me their number on a business card?
Receiving a business card means you have a number, not consent to send marketing texts via an autodialer. Implied consent arguments based on business card exchange have generally failed in court for ATDS marketing texts. If you want to text that person promotional messages, you need written consent that meets the FCC's requirements, even in a B2B context where they gave you the card voluntarily.
What should I do if I inherited a contact list with questionable consent records?
Do not text that list until you have verified consent for each number. Audit the consent records: when was consent collected, what disclosure was shown, which company was named, was it truly written and affirmative? Anything you cannot verify should be treated as no consent. Re-consent campaigns via email or other non-ATDS channels may let you rebuild compliant consent before texting.
Can someone sue me individually, more than as a class?
Yes. The TCPA allows individual private rights of action, more than class actions. An individual plaintiff can sue for $500 per message or $1,500 if willful, plus injunctive relief. Individual cases are often filed in small claims or state court, which means lower attorney cost for the plaintiff and faster resolution. Volume texters face both class exposure and a long tail of individual claims.
Do toll-free numbers or short codes change the consent requirement?
No. The consent requirement is determined by what you are doing (marketing via ATDS) and who you are contacting (cell phone number), not by what number you are texting from. Short codes, toll-free numbers, and 10DLC long codes all require prior express written consent for marketing texts to cell phones under the TCPA.
How does the FCC's reassigned numbers database factor into SMS compliance?
The Reassigned Numbers Database (RND), maintained by the FCC, lets you check whether a number has been reassigned to a new subscriber since you collected consent. If a number was reassigned and you text the new subscriber without their consent, that is a TCPA violation even if your records show prior consent from the original subscriber. Checking the RND before sending is not legally mandatory but is evidence of reasonable compliance effort.
What time of day can I legally send marketing texts?
FCC rules at 47 C.F.R. § 64.1200(a)(9) restrict autodialed calls and, by extension, texts to between 8 a.m. and 9 p.m. local time of the recipient. That means local time where the consumer is, not where you are. Sending a marketing text at 9:30 p.m. Eastern to a California number (6:30 p.m. Pacific) is fine. Sending it at 10 p.m. Eastern to a New York number is a separate violation.
Does TCPA consent need to be renewed over time?
The TCPA does not set an expiration date on valid consent. However, if the scope of your texting changes significantly beyond what was disclosed at opt-in, courts may find that consent does not cover the new use. An opt-in for "weekly deal alerts" probably does not cover daily flash-sale texts or texts from a new brand you acquired. When your program changes meaningfully, re-consent is the clean answer.
Are there any industries exempt from TCPA written consent for SMS?
Very few and narrowly defined. Healthcare entities have some limited exceptions for patient care messages under FCC rules, and financial institutions have narrow exceptions for fraud alerts and certain account-related notifications. These exceptions cover transactional or urgent informational content, not marketing. No industry is fully exempt from prior express written consent for promotional text messages.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits ATDS calls to cellular numbers without prior express consent; statutory damages are $500 per violation, tripled to $1,500 for willful violations
- FTC, Telemarketing Sales Rule, 16 C.F.R. § 310.4: Established business relationship exception applies to DNC-registry calling rules, not to TCPA prior express written consent requirement for autodialed texts
- Satterfield v. Simon & Schuster, Inc., 569 F.3d 946 (9th Cir. 2009): Ninth Circuit held that providing a phone number for one purpose does not imply consent for unrelated marketing use
- Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), Supreme Court of the United States: Supreme Court held that an ATDS must have capacity to produce numbers using a random or sequential number generator, narrowing the ATDS definition
- FCC, 47 C.F.R. § 64.1200(a)(9), Time Restrictions on Autodialed Calls: FCC regulations restrict autodialed calls and texts to between 8 a.m. and 9 p.m. local time of the recipient
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA amended 2021, applies to any automated system for selecting or dialing numbers, broader than TCPA's post-Duguid ATDS standard, with $500 per-text private right of action
- California Attorney General, California Consumer Privacy Act (CCPA/CPRA): California CCPA/CPRA treats phone numbers collected for marketing as personal information subject to disclosure requirements and opt-out rights, separate from TCPA consent
- U.S. Code, 28 U.S.C. § 1658, Federal Statute of Limitations: General federal civil statute of limitations is four years, meaning TCPA plaintiffs can sue up to four years after the alleged violation