Abandoned cart SMS and TCPA consent: what ecommerce stores must know

Sending abandoned cart texts without prior express written consent can cost $500, $1,500 per message under TCPA. Here's exactly what consent you need and how to get it.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-11

Person reading an SMS notification on a smartphone beside a delivered package
Person reading an SMS notification on a smartphone beside a delivered package

TL;DR

Abandoned cart SMS messages are telemarketing under the TCPA, so you need prior express written consent before sending them to any US customer's cell phone. A plain checkout opt-in checkbox does not automatically qualify. Get the consent wrong and exposure runs $500 to $1,500 per text, per recipient, with no cap on class size.

Are abandoned cart texts covered by the TCPA?

Yes, fully. The Telephone Consumer Protection Act, 47 U.S.C. § 227, covers any call or text sent to a mobile number using an automatic telephone dialing system (ATDS) or a prerecorded voice. [1] Most ecommerce SMS platforms send messages from stored contact lists automatically, and courts and the FCC have long treated that kind of technology as within TCPA reach.

Abandoned cart texts are not transactional messages. They exist to recover a sale. That makes them telemarketing under the FCC's rules, specifically 47 C.F.R. § 64.1200(f)(12), which defines telemarketing as any communication "the purpose of which is to encourage the purchase or rental of, or investment in, property, goods, or services." [2] A message that reads "You left something behind, here's 10% off" fits that definition exactly.

The transactional exception does not save you. That exception covers order confirmations, shipping notifications, and password resets. An abandoned cart message confirms nothing the customer did. It tries to get them to finish something they stopped short of doing. Courts and the FCC have rejected attempts to reframe recovery texts as transactional. [3]

So the rule is simple. If your platform sends abandoned cart texts to US mobile numbers, the TCPA applies, and you need the right consent before the first message goes out.

You need prior express written consent, the higher of the two TCPA consent tiers. Informational messages (shipping updates, appointment reminders) require only prior express consent, meaning the person gave you their number and could reasonably expect such messages. Marketing messages demand more. [2]

Abandoned cart texts are marketing, so the written standard applies. The FCC's 2012 order defined prior express written consent as an agreement that: (1) is in writing (electronic signatures and web form submissions count), (2) clearly authorizes calls or texts to a specific number, (3) using an ATDS or prerecorded voice, (4) for telemarketing, and (5) is not required as a condition of purchase. [4]

That last point trips people up. Gate checkout behind an SMS opt-in and you have violated the condition-of-purchase prohibition. Consent has to be voluntary.

The disclosure has to be clear and conspicuous. Fine print and pre-checked boxes fail. Before the customer submits their number, they need to see that they are agreeing to marketing texts, what kinds of messages to expect, and that message and data rates may apply. [4]

Here is the trap that catches good stores. You collect a phone number for order notifications at checkout, then route that same number into an abandoned cart flow. The consent does not stretch. The customer agreed to transactional messages, not marketing ones. You need a separate, clearly labeled opt-in for the marketing category.

Does collecting a phone number at checkout count as TCPA consent?

Not by itself. A phone number collected at checkout only grants consent for the purposes disclosed at the point of collection. [4] If you asked for the number to send order updates, that is all the customer agreed to.

This is where many ecommerce stores get burned. They add a phone field at checkout, send confirmation and shipping texts (fine), then route the same number into an abandoned cart flow (not fine). The consent scope does not follow.

To make checkout consent cover marketing texts, the opt-in language on that page has to describe marketing messages as part of what the customer is agreeing to. Something like: "By checking this box and providing your phone number, you agree to receive marketing text messages from [Store Name], including cart reminders and promotional offers, sent via automated systems. Consent is not a condition of purchase. Message and data rates may apply. Reply STOP to unsubscribe." Pair that with an unchecked box the customer actively checks, and you have what prior express written consent actually looks like. [4]

Pre-checked boxes do not count. The FCC requires affirmative action by the consumer. [4] A lot of Shopify and WooCommerce default checkout setups ship with pre-checked SMS boxes. If you run those defaults, you almost certainly have a consent gap right now.

TCPA exposure from non-compliant abandoned cart SMS Statutory damages per violation, plus real-world settlement context $500 Per-text statutory damages… $1,500 Per-text statutory damages… $5M Exposure for 10,000 texts (standard) $15M Exposure for 10,000 texts (willful) Source: 47 U.S.C. § 227; FCC 12-21 (2012)

The FCC adopted a one-to-one consent rule in December 2023, with an original effective date of January 27, 2025. [5] It would have required consumer consent to name the specific seller making contact, ending the practice of a single opt-in shared across many marketing partners. Courts later vacated portions of the rulemaking, and the timeline has been contested, so the current status of that provision depends on where litigation stands when you read this.

What is not in dispute: the core prior express written consent requirement has always required the agreement to authorize the entity making contact. [4] If you collect your own first-party opt-ins, this already applied to you. The one-to-one rule mostly hit lead generators and affiliate networks that resold consent lists, not direct-to-consumer brands sending their own abandoned cart texts.

For a standard store, the takeaway is short. Make sure your consent names your brand, not a vague "our marketing partners." That has always been the safer practice, and recent regulatory movement only points harder in that direction.

Check the FCC's site and recent federal court decisions for the current status before you make compliance decisions today. This is genuinely an area where the rules keep moving. [5]

What does a compliant abandoned cart SMS opt-in actually look like?

Here is what the working parts look like in practice.

The opt-in should sit near the phone number field at checkout, or as a dedicated step in a pop-up or account creation flow. The consent checkbox starts unchecked. The label text has to be readable (not 8-point gray on white) and has to include your brand's name, the fact that messages are automated, the purpose (marketing, cart reminders, promotions), the stop mechanism (reply STOP), the data rates disclosure, and a link to your privacy policy and SMS terms. [4]

A double opt-in confirmation text, sent after the customer first subscribes, adds documentation. The TCPA does not require it, but it creates a record that the customer took a second affirmative step. If a dispute lands later, that record earns its keep.

Your SMS provider should store consent timestamps, the exact language the customer saw, the IP address, and the form version at submission. If you cannot produce that record in response to a legal demand, proving consent gets hard fast. This is standard discovery in TCPA cases, not an edge case.

Pop-up opt-ins (email exit-intent, spin-the-wheel offers) follow the same rules. The format does not change the standard. The required disclosures have to be present and visible before the customer submits.

Skip the dark patterns. Consent buried in a 400-word terms block, or a form worded "I would like to receive order updates" that you then treat as marketing consent, is exactly what ends up in class action complaints. [3]

What are the TCPA penalties for non-compliant abandoned cart texts?

The statute sets damages at $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing ones. [1] Each text to each recipient is a separate violation. Send a single abandoned cart text to 10,000 people without proper consent and your theoretical exposure is $5,000,000 to $15,000,000 before a court even reaches willfulness.

TCPA cases are almost always class actions. The per-violation amounts are too small for individuals to sue over alone, but the class economics work well for plaintiffs' attorneys. Certification is relatively routine because the legal and factual questions are common across class members.

Settlements show the real cost. The cash app tcpa class action settlement shows the scale these cases reach. The credit one tcpa settlement is another worth reading if you want to see how fast exposure compounds when a company sends high volumes without clean consent.

Willfulness does not require intent to break the law. Sending texts after you have been put on notice of a consent problem, or after a recipient sent STOP, can be treated as willful. Courts have found willfulness where a company simply failed to build basic consent systems despite operating in an industry where the rules are public. [3]

For a small ecommerce company, a modest class of 5,000 people with a single text each represents $2.5 million to $7.5 million in statutory exposure. That is not a scare number. It is the arithmetic the TCPA writes for you.

Does a STOP opt-out request have to be honored immediately?

Yes. Once a recipient texts STOP (or any standard keyword: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT), you have to stop sending marketing texts. The FCC's rules require opt-out requests to be honored within a reasonable time, and the industry treats that as immediate. [11]

You can send one final confirmation text acknowledging the opt-out. That is expressly permitted. You cannot send a follow-up offer, a "sorry to see you go" pitch, or any other marketing message afterward.

Scrubbing your list for opt-outs before each send is not optional. If someone opted out three months ago and gets another abandoned cart text because your list was not updated, that is a fresh violation. Your ESP or SMS tool failing to sync the opt-out is not a defense. It is your operational problem.

If you also run outbound calls, cross-referencing the do not call list for voice contacts is a related step, and knowing what the mobile phone do not call list covers is worthwhile when your team dials the same customer base.

How many abandoned cart texts can you legally send?

The TCPA sets no numerical cap on message frequency, as long as each message carries proper consent. But consent has limits baked in. If your opt-in disclosed "occasional cart reminders," a five-message sequence over 72 hours may push past what the customer reasonably agreed to.

The CTIA (the wireless industry trade association) publishes messaging guidelines suggesting around three messages per session for triggered sequences like cart recovery, and many SMS platforms build flows around that number. [6] These guidelines are not law, but courts and the FCC treat them as evidence of reasonable industry practice.

Beyond consent scope, frequency matters for two practical reasons. Excessive contact after clear silence starts to look like harassment under state laws even when you hold TCPA consent. And carriers flag sending numbers for spam patterns, which sinks deliverability no matter how clean your legal position is.

My rule of thumb: one to three messages per abandoned cart event, spaced over one to three days. That is where most compliant and commercially effective programs sit. Push past it and you risk both legal exposure and unsubscribe rates that gut your list quality.

Do state laws add requirements on top of TCPA for ecommerce SMS?

Several do. Florida's Telemarketing Act, amended by the 2021 Mini-TCPA (Florida SB 1120), created state-level requirements that in places exceed federal standards, including provisions that do not depend on ATDS technology at all. [7] That matters because some businesses argue their systems are not technically an ATDS and therefore dodge TCPA reach. Florida's law plugs that gap.

California's Invasion of Privacy Act and consumer protection statutes create added exposure for California residents. Washington State has its own Commercial Electronic Mail Act that can reach mobile marketing messages. Oklahoma, Virginia, and other states have enacted or proposed similar statutes recently.

Selling nationally means your consent language and opt-out procedures have to meet the strictest applicable standard across your customer base. Design to the toughest current standard (usually Florida or California) and you generally cover yourself everywhere else.

This is why "my SMS platform handles compliance" is a dangerous assumption. Platforms handle sending mechanics. They do not know what language appeared on your opt-in form, whether it was pre-checked, or whether your disclosures match what you actually send. That is on you.

Read your state-specific obligations before you launch any SMS program, not after. That is the right order of operations.

The TCPA puts the burden of proving consent on the sender. [1] If a plaintiff says they never agreed to your texts, you have to show they did. Your records need to be real, retrievable, and tied to the specific individual.

At a minimum, capture the date and time consent was given, the phone number it was given for, the exact opt-in language the consumer saw, the form or page version, and any confirmation messages sent. Ideally you also log the IP address, the device type, and a session identifier.

Store these records for at least four years. TCPA claims carry a four-year statute of limitations under 28 U.S.C. § 1658, and some state claims run on different clocks. [10]

Most major SMS platforms (Klaviyo, Attentive, Postscript, Yotpo SMS) keep consent logs at some level, but check what they actually capture and whether you can export it. "We use [platform X]" is not a consent record. An exportable CSV with a timestamp and the opt-in source URL is closer to one.

LeadCompliant's free TCPA compliance kit includes a consent record checklist you can run against your current setup for a quick gap assessment.

If you also run outbound calls, consent documentation matters across channels, especially when you look at how to get the do not call list to scrub phone records before dialing.

What common mistakes do ecommerce brands make with abandoned cart SMS consent?

The most common mistake is the checkout phone field problem: collecting a number for shipping updates, then routing it into a marketing flow. It happens constantly because the Shopify and WooCommerce SMS app ecosystems make it easy to wire a checkout phone plugin into an abandoned cart automation without anyone checking whether the consent language covers the new use.

Second most common: a pre-checked opt-in box. The FCC requires affirmative action. A pre-checked box fails that test no matter how visible the language is.

Third: consent language that does not name the brand. "I agree to receive texts from our marketing partners" does not authorize your brand to text anyone. The agreement has to name you.

Fourth: treating an email opt-in as SMS consent. Someone who subscribed to your email list and dropped a phone number in a profile did not agree to marketing texts. The channels require separate consent.

Fifth: not honoring STOP across all flows. A customer who opts out of abandoned cart texts has opted out of all your marketing texts. Sending a promo two weeks later because they did not opt out of that specific list is still a violation.

For how text message marketing fits the broader TCPA framework, and where the landmines sit across different use cases, read that alongside this piece.

Sixth: assuming you only need to worry if you send millions of messages. Courts have certified classes of a few hundred people. Small programs carry real exposure when consent is missing.

What should you do right now to audit your abandoned cart SMS program?

Start with the opt-in itself. Pull up your checkout page, your pop-ups, and every other place you collect phone numbers. Check whether the SMS opt-in is a separate unchecked checkbox with explicit marketing language, or whether it is buried, pre-checked, or bundled with transactional consent. If it is any of the latter, fix it before the next cart abandonment event fires.

Next, check your consent storage. Can you export a consent record for any given phone number showing when and how they opted in? If the honest answer is "I would have to ask our developer" or "I think it's in the platform somewhere," that is a gap.

Then check your suppression list. Are opt-outs applied in real time across all flows? Test it. Subscribe a test number, opt out, and see if a later abandoned cart event still fires a message. Five minutes tells you whether your mechanics actually work.

Review your message content. Does any message in the sequence carry promotional material (discount codes, urgency language, product recommendations)? All of it makes the message telemarketing. Make sure every message in the sequence sits under your marketing consent, more than just the first one.

Last, look at state exposure. If you have real customer bases in Florida or California, read the applicable statutes or have counsel review them. The TCPA floor is not the whole picture.

LeadCompliant has a free TCPA compliance checklist that walks through the consent documentation requirements for SMS programs, which gives this audit a consistent format to work from.

Frequently asked questions

Yes. A prior purchase gives you a transactional relationship but not marketing consent. The fact that someone bought from you does not mean they agreed to receive automated marketing texts. You need prior express written consent specifically for marketing messages, collected with proper disclosures, regardless of purchase history. An existing customer relationship is not a TCPA exemption.

Yes, if it meets the requirements. The pop-up must include an unchecked opt-in checkbox, visible language naming your brand, disclosure that texts are automated and for marketing purposes, the STOP mechanism, and the data rates notice. Pre-checked boxes and hidden disclosures fail. Pop-up consent collected properly is legally equivalent to checkout consent; the format does not change the standard.

Federal TCPA claims have a four-year statute of limitations under 28 U.S.C. § 1658. Some state-level analog claims may run on different clocks. That means consent records from today need to be stored and retrievable for at least four years. Deleting old records before the limitation period expires does not reduce exposure; it removes your defense.

Does the TCPA apply if my SMS platform does not use an ATDS?

Possibly not under the federal ATDS-specific prong, but this is genuinely complicated. The Supreme Court's 2021 Facebook v. Duguid decision narrowed the ATDS definition. If you use a prerecorded or artificial voice, TCPA applies regardless. Many state mini-TCPA statutes (especially Florida's) do not require an ATDS at all. Assume your SMS platform triggers TCPA risk unless counsel has reviewed your specific system.

No. Courts and the FCC look at the purpose of the message, not what you call it. A message designed to recover a sale is telemarketing. The number of messages you plan to send does not change the consent requirement for the first one. One text to one person without consent is one violation, and each person in a class action represents a separate count.

What if a customer gave their number to a third-party lead generator and that generator transferred the number to me?

Consent obtained by a third party generally must have specifically named you as the entity authorized to contact the consumer. The recent FCC one-to-one consent rulemaking targeted exactly this practice. Buying or receiving phone lists with "consent" from a lead generator is high-risk unless you can verify the consent expressly named your brand and described your type of messages. In practice, treat third-party lists as unconsented unless proven otherwise.

Do Shopify SMS apps handle TCPA compliance automatically?

No. SMS apps handle sending and some opt-out mechanics, but they do not control the opt-in language you show customers, whether your checkbox is pre-checked, or whether your disclosures meet the FCC's specificity requirements. You are responsible for what your opt-in form says and shows. Review every consent touchpoint your store uses, regardless of which app powers the sends.

Is a double opt-in required by law for abandoned cart SMS?

Not explicitly required by the TCPA or FCC rules as of this writing. But double opt-in creates a timestamped confirmation that the consumer took a second affirmative step, which is valuable evidence if consent is disputed. Many compliance attorneys recommend it, and the CTIA guidelines support it as a best practice. The legal minimum is prior express written consent; double opt-in is a way to document it more defensibly.

Can I text someone who abandoned their cart if they are on the national Do Not Call Registry?

The National DNC Registry primarily governs outbound telemarketing calls, not text messages, under the current FTC and FCC framework. But TCPA consent rules still apply to texts independently of DNC registration. The more important check for SMS is whether you have prior express written consent. Some state laws and FCC interpretations continue to evolve on whether DNC registration reaches texts, so monitoring this is worth doing.

What language do I need in the opt-in for abandoned cart texts to be compliant?

The opt-in language must name your brand specifically, state that the customer is agreeing to receive automated marketing texts (more than 'updates'), mention that message and data rates may apply, explain how to opt out (reply STOP), and note that consent is not required to purchase. The checkbox must be unchecked by default and the customer must actively check it. All of this must be visible before submission, not buried in a linked terms document.

How does TCPA compliance for SMS differ from compliance for outbound calls?

Both require prior express written consent for telemarketing. The main differences: telemarketing calls carry FCC-mandated calling hours (8am to 9pm local time) and must be scrubbed against the National DNC Registry. For texts, the primary compliance focus is consent documentation and opt-out mechanics, though texting someone at 2am can still trigger other complaints. Voice adds DNC scrubbing and time-of-day rules on top of the shared consent standard.

What happens if I inherited an existing SMS list from a previous owner of the business?

You cannot inherit TCPA consent. Consent is specific to the entity named in the opt-in agreement. If a business is acquired and the acquiring entity is different, the prior consent does not transfer. Sending abandoned cart texts to an inherited list under your new brand name without recollecting consent is a violation. You would need to recollect consent under your brand before marketing to that list.

Is there a safe harbor that protects me if I rely on my customer's consent in good faith?

There is a limited good-faith reliance defense for calls made based on a consumer's representation that they are not on the DNC Registry or have given consent, but courts have applied it narrowly. It does not excuse failing to build basic consent systems or sending texts based on consent records that lack required disclosures. Good faith is not a substitute for documented, properly collected consent.

How do I know if my SMS vendor is TCPA-compliant?

Ask them specifically what consent data they store, whether they can export consent records per phone number, and how they handle STOP requests across all active campaigns. Reputable platforms (Attentive, Klaviyo, Postscript) have compliance features, but 'the vendor is compliant' does not mean your opt-in forms and disclosures are compliant. Vendor compliance covers sending mechanics; your consent collection language is always your responsibility.

Sources

  1. U.S. Government, 47 U.S.C. § 227 (TCPA statute text via Cornell LII): TCPA establishes $500 per violation statutory damages, up to $1,500 for willful violations, and covers text messages sent via ATDS to mobile numbers
  2. FCC, 47 C.F.R. § 64.1200 (Code of Federal Regulations, FCC rules on telemarketing): FCC regulations define telemarketing as communications whose purpose is to encourage purchase of goods or services, and distinguish prior express written consent requirements for marketing vs. informational messages
  3. CTIA, Messaging Principles and Best Practices (wireless industry trade association): CTIA guidelines recommend limiting abandoned cart or similar triggered message sequences to approximately three messages per session and require clear opt-out mechanisms
  4. Florida Legislature, Florida SB 1120 (2021), Florida Telemarketing Act amendments (Mini-TCPA): Florida's 2021 Mini-TCPA (SB 1120) created state-level telemarketing restrictions that do not require proof of ATDS use, expanding exposure beyond federal TCPA standards for Florida-based contacts
  5. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the TCPA's ATDS definition in 2021, holding that a system must use a random or sequential number generator to qualify, affecting which sending systems trigger federal TCPA liability
  6. FTC, National Do Not Call Registry: The National DNC Registry primarily governs outbound telemarketing calls under FTC jurisdiction; SMS text messages are governed separately under FCC TCPA rules
  7. U.S. Code, 28 U.S.C. § 1658 (statute of limitations for federal civil claims): Federal civil actions, including TCPA claims, are subject to a four-year statute of limitations under 28 U.S.C. § 1658
  8. FCC, Consumer Complaint Center (unwanted text messages guidance): FCC confirms that TCPA covers text messages and that consumers can revoke consent at any time by replying STOP; senders must honor opt-out requests promptly

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit