Last updated 2026-07-09

TL;DR
A2P 10DLC is a carrier-registered system that lets businesses send texts from 10-digit local numbers. Under TCPA (47 USC 227), senders need prior express written consent before marketing texts. If you got an unwanted message, the sender may owe you $500 to $1,500 per text. This article explains the system, your rights, and what compliant senders must do.
What is an A2P 10DLC number and why did it text you?
A2P stands for Application-to-Person. It describes any text sent by software or a business platform to a real person, as opposed to a human typing on a phone. 10DLC is the carrier term for 10-digit long codes, meaning ordinary-looking local numbers (like 512-555-0198) that have been registered with a campaign registry to handle business texting at scale. [1]
Before 10DLC existed, businesses bought unregistered long-code numbers and blasted messages with little accountability. Carriers tolerated it. Spammers abused it. The major U.S. carriers (AT&T, T-Mobile, Verizon) responded by building The Campaign Registry (TCR), a central database that went live for AT&T in 2021 and became mandatory across major carriers by mid-2023. [2]
When a business registers its brand and a specific messaging campaign with TCR, it gets a trust score. Carriers use that score to set throughput rates and to decide whether to deliver messages at all. So the number that texted you is probably a real local number tied to a real registered brand. That does not mean the sender followed the law. Registration proves the sender exists. It does not prove they got your consent.
You might have gotten a text from a 10DLC number because you gave your number to a retailer, signed up for alerts, entered a sweepstakes, or because a lead-generation company sold your contact info to a company you've never heard of. That last one is where TCPA problems usually start.
What does TCPA say about texts sent to your phone?
The Telephone Consumer Protection Act, 47 USC 227, passed in 1991 and has been expanded by FCC rulemaking ever since. The statute covers calls and texts to mobile numbers. [3]
The key provision for marketing texts is 47 USC 227(b)(1)(A), which bars using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to call a mobile number without the called party's prior express consent. The FCC's 2012 rules tightened this to require prior express written consent for marketing messages. That means a signed agreement (electronic signatures count) where the consumer clearly agrees to get automated marketing texts from a specifically named sender. [4]
The FCC's 2012 order set the baseline every sender is held to: prior express written consent must be obtained "before the telemarketer delivers the first advertisement or telemarketing message."
A few things the law does not require. It does not require the number to look like a short code. It does not require special formatting. It does not require the sender to be a large company. A two-person startup texting leads without consent faces the same liability as a Fortune 500 company.
Transactional texts, things like shipping confirmations or appointment reminders where you already have a relationship, sit under a lower standard of prior express consent (not written). But any text with a marketing element crosses back into the written-consent requirement. The line between transactional and marketing gets blurry fast, and courts lean toward the consumer when it's ambiguous.
How does A2P 10DLC registration relate to TCPA compliance?
This is the part that trips people up. They are separate systems.
10DLC registration is a carrier requirement. It's about network access and deliverability. Carriers want to know who's sending traffic so they can filter spam and manage throughput. Registering your brand and campaign with The Campaign Registry does not give you legal permission to text anyone. It does not substitute for TCPA consent.
Think of it this way. A business license lets you legally operate a car dealership. It does not let you park cars on your neighbor's lawn. 10DLC is the business license. TCPA consent is the permission to text a specific person.
The FCC reinforced this split in its 2023 one-to-one consent ruling, which took effect in January 2025. That rule requires consent to be obtained separately for each individual business, so a single checkbox on a lead-gen form cannot bundle consent to dozens of companies at once. [5] Carriers cannot enforce that rule. Only the FCC and plaintiffs' attorneys can.
For senders, the practical takeaway is blunt: you can be fully 10DLC-registered and still face huge TCPA exposure if your consent records are bad. For consumers, it means a message that landed in your inbox (one that didn't get filtered) still may have been illegal to send.
Some compliance tools track both. LeadCompliant, for example, publishes free TCPA checkers and a one-time compliance kit that covers the consent documentation side more than the carrier registration side. Those are two separate compliance layers, and teams that only handle one of them are gambling.
What are the TCPA penalties for illegal texts, and who can sue?
TCPA is a private right of action statute. You do not need to wait for the FCC or the FTC to act. Any person who received an illegal text can sue the sender directly in federal or state court. [3]
The damages are:
- $500 per violation (per illegal text) for negligent violations.
- Up to $1,500 per violation if the court finds the sender willfully or knowingly violated the statute. [3]
There is no cap per plaintiff, and class actions are common. A company that texted 100,000 people without proper consent faces up to $150 million in statutory damages at the $1,500 rate. That is not hypothetical. Real settlements have hit those ranges.
For reference, UnitedHealthcare paid $2.5 million to settle alleged TCPA violations, and Truist Bank faced a class action TCPA settlement over similar issues. Credit One Bank also settled a significant TCPA case tied to automated contact without consent. These are not edge cases.
The statute of limitations is four years under 28 USC 1658, the federal catch-all, though some courts have applied a shorter period depending on jurisdiction. [8] You generally have time to consult an attorney after receiving illegal texts.
Class actions are where the real money sits. A single plaintiff might net $500 to $1,500. A class of 50,000 people with the same complaint can produce a settlement worth tens of millions. Plaintiffs' attorneys work these cases on contingency, so there's no upfront cost to bring them. That's why TCPA litigation volume stays high. The Judicial Panel on Multidistrict Litigation sees hundreds of TCPA cases every year.
What TCPA penalties look like across violation types
| Violation type | Statutory damage per text | Notes |
|---|---|---|
| No prior express written consent (marketing text) | $500 to $1,500 | Court decides willfulness |
| Called a number on the National DNC Registry without written agreement | $500 to $1,500 | Applies per call or text |
| No opt-out mechanism in message | Up to $500 | FCC rule requirement |
| Texting after opt-out request | $500 to $1,500 | Subsequent contact is often treated as willful |
| Using a short code or 10DLC without carrier registration | Carrier may block; no direct TCPA fine | But registration gaps often signal broader consent problems |
The table above reflects the statutory damages in 47 USC 227 and FCC implementing rules. [3][4] Courts can award treble damages (the $1,500 figure) at their discretion for willful violations. Some courts are stingy with trebling. Others are not. Nobody has reliable aggregate data on average awards in contested cases, because most settle before judgment.
How can you tell if the 10DLC text you received was legal?
Start with three questions.
First, did you give this company your cell number and agree to receive automated marketing texts from them specifically? A vague checkbox that says "I agree to terms" does not meet the FCC's written consent standard. The consent has to name the sender, disclose that texts will be automated, and say they may be marketing in nature. [4]
Second, did the message include a clear opt-out mechanism? FCC rules require marketing texts to include a way to stop them, usually instructions like "Reply STOP to unsubscribe." [12] If the message had no opt-out language, that's a standalone violation.
Third, is this a number you've seen before from a company you actually do business with? Relationship texts (your bank confirming a transaction, a doctor's office confirming an appointment) can use prior express consent without the written requirement, but they still need some form of consent.
If the answer to the first question is no, and the message was clearly promotional, you likely got a text that violated TCPA. The burden of proving consent is on the sender, not you. A sender who cannot produce a timestamped consent record with your specific agreement to their messages will have a hard time in court.
You can look up whether a 10-digit number is registered as an A2P long code by checking with your carrier or using an online carrier lookup tool. If the number shows as unregistered, the sender was also breaking carrier requirements. That adds to the picture, but it's not a TCPA violation on its own.
What should you do if you received an illegal text from a 10DLC number?
Document everything first. Screenshot the message showing the sending number, the content, the timestamp, and any links. Do not delete it. Note whether you ever gave this company your number and under what circumstances.
Send an opt-out reply. Reply STOP (or UNSUBSCRIBE, QUIT, CANCEL, or END, all of which carriers require senders to honor). If the sender keeps texting after your opt-out, that's a separate willful violation for each message. That matters a lot for damages.
File a complaint with the FCC at fcc.gov. The FCC does not guarantee individual recovery, but complaints build the enforcement record. The FTC also takes Do Not Call complaints at donotcall.gov if your number is on the DNC Registry. [6][7]
Consider consulting a TCPA attorney. Most plaintiff-side TCPA attorneys take cases on contingency. If you got one text, it may not be worth pursuing alone (though some do). If you received repeated texts or can show a pattern, it gets more interesting to attorneys. You can find TCPA lawyers in specific states like Kentucky who focus on this area.
Do not engage with the content of suspicious texts. Do not click links. Some spam texts pose as A2P business messages to harvest data or push malware. The legal question and the safety question are separate. Handle the safety concern first.
What do compliant senders have to do before texting you?
For any sender running an outbound SMS program on 10DLC numbers, here's what the law actually requires before the first marketing text goes out.
Get prior express written consent. This means a written agreement (paper or electronic) that clearly discloses the consumer is agreeing to receive autodialed or prerecorded marketing texts from the specific named company, and captures the number where they agree to be contacted. A generic lead form with buried terms does not clear this bar, especially after the FCC's January 2025 one-to-one consent rule. [5]
Register brand and campaign with The Campaign Registry. This is a carrier requirement separate from TCPA. Brand registration covers company identity. Campaign registration covers the specific use case (marketing, customer care, delivery notifications). Unregistered A2P traffic gets filtered or blocked on major U.S. carriers. [2]
Honor the National DNC Registry. B2C senders must check the FTC's National Do Not Call Registry before texting (and calling) consumers. The DNC Registry applies to marketing texts, not only phone calls. Entities must subscribe to the registry and scrub against it regularly. [7][10]
Include required opt-out instructions in every marketing message. FCC rules require automated marketing messages to carry clear instructions on how to stop them. [12]
Maintain consent records. If a consumer disputes consent, the burden is on the sender. Consent records need the timestamp, the IP address or signature, the exact consent language the consumer saw, and the number they agreed to receive texts on. Store these for at least four years (the TCPA statute of limitations period) as a floor.
For a deeper look at what a compliant text program looks like end to end, text message marketing best practices and text messaging marketing compliance cover the full setup. The compliance kit at LeadCompliant packages the consent documentation templates and DNC scrubbing workflow in one place if you want a starting checklist.
Stopping robocalls and robotexts is related, but that covers the consumer-side tools, which is a different angle.
Did the FCC's 2025 one-to-one consent rule change anything for 10DLC?
Yes. A lot.
The FCC's Report and Order on one-to-one consent, adopted in December 2023 with a compliance date of January 27, 2025, closed a loophole lead-generation companies had used for years. [5] Under the old reading, a single consent form on a comparison-shopping or lead-gen site could bundle consent for dozens of marketing partners at once. A consumer who checked a box to get insurance quotes was, at the same moment, agreeing to texts from 40 companies they'd never heard of.
The new rule requires consent from a single named company at a time, in a context logically and topically related to the seller's product or service. Blanket consent to unspecified "marketing partners" no longer works for TCPA purposes.
For 10DLC senders, this means you cannot buy leads from aggregators and assume the consent that came with the lead is good enough. You need consent that names your company. If your lead vendor is still selling leads with shared consent, those leads are legally radioactive under the current standard.
The rule has already produced litigation. Lead-gen groups challenged it in court, and the Eleventh Circuit vacated part of the rule in early 2024, but only on narrow administrative grounds tied to the honor period, not the core one-to-one consent requirement. [5] The one-to-one consent standard itself remains in effect as of mid-2025.
If you got a text from a company you never directly dealt with, there's a real chance their consent record is now legally deficient under the 2025 standard, even if it might have passed before.
How do big TCPA settlements happen and could you be part of one?
Class action TCPA cases follow a predictable path. A plaintiff receives unwanted texts (or calls), documents them, and finds a plaintiffs' attorney willing to take the case. The attorney files a class action complaint in federal court on behalf of "all persons who received similar messages." If the court certifies the class, the case covers potentially thousands or millions of consumers.
Settlements usually require class members to submit a claim form, often online, to get a share of the settlement fund. Individual payments vary widely. In small funds split among big classes, each claimant might net $20 to $50. In larger settlements or smaller classes, it can be much more.
Recent examples from the TCPA settlement landscape: Albertsons and Safeway settled a TCPA class action over promotional texts, and Cash App faced a TCPA class action settlement over automated messages. Kaiser also had a TCPA settlement with a specific claim deadline that shows how time-sensitive these claim windows get.
If you received texts from a major company that you believe were non-consensual, search for existing class actions against that company. PACER (federal court records) or a plain web search for "[company name] TCPA settlement" can surface active cases. [11] You may already be a class member without knowing it.
For ongoing developments, TCPA news tracks new filings and settlements that might affect you as a consumer or as a sender.
The Joseph Snyder vs. Credit One TCPA case is a detailed example of how individual plaintiff cases can drive broader class-level outcomes.
What should senders do right now to stay compliant with A2P 10DLC and TCPA?
If you run any kind of outbound SMS program, here's the short version of what actually protects you.
Audit your consent records today. Pull a sample of 100 contacts from your send list and verify each has a documented consent record showing your company's name, the consent language, a timestamp, and a phone number match. If more than 10% of your sample has gaps, you have a systemic problem.
Stop buying shared leads for SMS without re-consenting them. After January 2025, consent that names "marketing partners" without your company's name is not compliant. Either get direct consent or don't text those numbers.
Scrub against the National DNC Registry every 31 days or sooner for any consumer list. The FTC requires organizations to honor DNC registrations within 31 days of the consumer signing up. [7][10]
Register your brand and all active campaigns with The Campaign Registry if you haven't. Unregistered traffic gets blocked, and blocked traffic often means consumers complain to carriers, which brings more scrutiny. Registration does not solve your consent problem. It solves your deliverability problem.
Build an opt-out system that actually works. When someone replies STOP, your platform needs to remove them instantly and never text them again from that campaign. Log the opt-out with a timestamp. Texting after an opt-out is the easiest willfulness argument a plaintiff can make.
Keep consent records for at least four years. The TCPA statute of limitations is generally four years. [8] Your records need to survive that window.
None of this is optional. The $1,500 per message exposure stacks fast once a plaintiff's attorney gets involved.
Frequently asked questions
What is an A2P 10DLC number?
A2P 10DLC is a carrier-registered 10-digit local phone number used by businesses to send automated text messages at scale. A2P means Application-to-Person. The number looks like a regular local cell number but is registered with The Campaign Registry, which major U.S. carriers use to manage business SMS traffic. Registration started becoming mandatory across carriers in 2021 through 2023.
Is it legal for a business to text me without my permission?
No, for marketing texts. Under TCPA (47 USC 227), businesses need prior express written consent before sending automated marketing texts to your cell phone. That means a signed agreement naming the specific sender. A generic terms-of-service checkbox usually does not satisfy this standard. Transactional texts from companies you have a direct relationship with need only prior express consent, a lower bar, but still require some form of agreement.
How much can I sue for an unwanted text message?
TCPA allows $500 per illegal text for negligent violations and up to $1,500 per text for willful violations. There is no per-plaintiff cap. If you received 10 illegal texts, you could claim up to $15,000. Class actions multiply this across all recipients. Plaintiffs' attorneys handle these cases on contingency, meaning no upfront cost to you. The statute of limitations is generally four years.
Does A2P 10DLC registration mean the sender has TCPA consent?
No. These are completely separate systems. 10DLC registration is a carrier requirement about network access and spam filtering. TCPA consent is a legal requirement about having permission from each individual recipient. A sender can be fully registered with The Campaign Registry and still violate TCPA by texting people who never consented. Registration proves the sender exists; it does not prove they got your permission.
What should I do if I get an unwanted text from a business?
Screenshot the message with the number and timestamp. Reply STOP to trigger the legal opt-out requirement. File a complaint with the FCC at fcc.gov and the FTC at donotcall.gov if you're on the DNC Registry. If the texts continue after your opt-out, document each one separately. Consult a TCPA attorney if you receive multiple messages or want to pursue damages. Do not click any links in suspicious texts.
What changed with the FCC's 2025 one-to-one consent rule?
Starting January 27, 2025, the FCC requires that TCPA consent be obtained from one named company at a time. Bundled consent forms where a single checkbox covers dozens of unnamed marketing partners are no longer valid. Businesses that bought leads from aggregators using shared consent forms now have legally deficient consent records for SMS purposes. This rule has already generated new TCPA litigation.
Can a business text me if my number is on the Do Not Call Registry?
The National DNC Registry covers marketing texts as well as calls. If your number is registered and a business texts you for marketing purposes without a prior written agreement or an established business relationship, they have violated both TCPA and FTC rules. The FTC administers the DNC Registry and businesses are required to check it at least every 31 days before contacting consumers.
How do I know if a number is registered as A2P 10DLC?
You can use carrier lookup tools (many are free online) to check whether a 10-digit number is registered as a business messaging number. Your carrier's customer service can also tell you. However, registration status does not tell you whether the sender had legal consent to contact you. An unregistered number sending commercial messages may indicate a less careful operation, but registered numbers can still violate TCPA.
What is the statute of limitations for TCPA text message claims?
Most federal courts apply a four-year statute of limitations to TCPA claims under 28 USC 1658, the general federal catch-all. Some courts have debated whether a shorter period applies. The practical rule is to act within four years of receiving the illegal message. If you are a potential class member in an existing settlement, the claim window may be shorter, sometimes only 60 to 90 days once a settlement is announced.
Can a small business or startup be sued under TCPA?
Yes. TCPA applies to any person or entity that initiates a covered call or text. Company size is irrelevant. A two-person startup texting prospects without proper consent faces the same $500 to $1,500 per-text exposure as a large corporation. Courts have not carved out exceptions for small businesses. If anything, small companies are at higher risk because they are less likely to have formal consent documentation and compliance processes in place.
Does TCPA cover texts sent from a local number, or only short codes?
TCPA covers any automated text to a mobile number regardless of what type of number the sender used. Short codes (5-6 digit numbers), toll-free numbers, and 10DLC long codes all fall under the same rules. The format of the sending number does not change the consent requirement. This is a common misconception. Using a local 10-digit number does not create a legal safe harbor.
What evidence do I need to prove a text violated TCPA?
You need to show you received an automated marketing text and that you did not give valid prior express written consent. A screenshot with timestamp, sending number, and message content is the core evidence. The sender then bears the burden of producing a valid consent record. If they cannot, that is strong evidence of a violation. Opt-out logs showing you replied STOP and then received more texts are especially valuable for showing willfulness.
Are appointment reminder texts or shipping notifications covered by TCPA?
Transactional texts like shipping confirmations, appointment reminders, and bank alerts require only prior express consent (not written consent) as long as they contain no marketing content. The moment a transactional text adds promotional content, such as a coupon or upsell, it crosses into marketing territory and requires prior express written consent. Courts look at the primary purpose of the message to make this determination.
What is The Campaign Registry and who runs it?
The Campaign Registry (TCR) is a third-party organization designated by major U.S. carriers to manage A2P 10DLC registration. Businesses register their brand identity and their specific messaging campaigns with TCR. TCR assigns trust scores that carriers use to determine message throughput and filtering. TCR is not a government agency and has no TCPA enforcement authority. It operates as a private industry body under carrier requirements.
Sources
- The Campaign Registry, A2P 10DLC overview: A2P 10DLC describes business text messaging using registered 10-digit local numbers, governed by carrier requirements through The Campaign Registry
- The Campaign Registry, official registry for A2P 10DLC: The Campaign Registry is the centralized body designated by major U.S. carriers to manage brand and campaign registration for A2P 10DLC messaging
- Cornell Legal Information Institute, 47 USC 227 Telephone Consumer Protection Act: 47 USC 227 prohibits using an ATDS to call or text a mobile number without prior express consent; provides $500 per violation and up to $1,500 for willful violations; creates a private right of action
- FCC, consumer complaint center: Consumers can file informal complaints about unwanted calls and texts with the FCC through its consumer complaint center
- FTC, National Do Not Call Registry: FTC administers the National DNC Registry; businesses must honor registrations within 31 days; registry covers marketing texts as well as calls
- Cornell Legal Information Institute, 28 USC 1658 statute of limitations: The general federal statute of limitations of four years applies to TCPA claims under 28 USC 1658
- FTC, Telemarketing Sales Rule: FTC Telemarketing Sales Rule requires sellers to scrub against the DNC Registry at least every 31 days
- U.S. Courts, PACER federal case search: Federal TCPA class action cases are searchable through the PACER federal court records system