Last updated 2026-07-10

TL;DR
Yes. The Telephone Consumer Protection Act (47 U.S.C. § 227) treats text messages the same as phone calls to cell phones. The FTC's Telemarketing Sales Rule also covers many commercial texts. Sending unsolicited marketing texts without prior express written consent exposes senders to $500, $1,500 per message in statutory damages, and class actions routinely bundle thousands of violations.
What laws actually govern spam text messages?
Two federal laws do most of the work here, and they run in parallel, not as either-or.
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the main statute. Congress passed it in 1991 to regulate calls to residential lines, but the FCC has read "call" to include text messages since at least its 2003 Report and Order (In the Matter of Rules and Regulations Implementing the TCPA, FCC 03-153). That reading has survived court challenges. The statute's key prohibition covers any call made "using any automatic telephone dialing system" or an artificial or prerecorded voice to a cellular telephone number [1].
The FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) reaches commercial text messages sent as part of a telemarketing campaign. The TSR's coverage runs a little narrower than the TCPA because it centers on transactions where the consumer is induced to buy something, but for most marketing text programs the two laws overlap almost completely [2].
State laws add another layer. Florida's FTSA, Texas Business & Commerce Code § 305.053, and Oklahoma's 2022 mini-TCPA each created state-level private rights of action, some broader than the federal floor. A single bulk text blast can trigger liability under federal law, the law of every state where a recipient lives, and multiple class actions at once.
Send a marketing text to a U.S. cell number and federal telemarketing rules apply. Full stop.
Does the TCPA explicitly cover text messages or is that just FCC interpretation?
The TCPA never uses the word "text," so its coverage of SMS comes from FCC interpretation that federal courts have confirmed for two decades. It is settled law, not a gray area.
The text of 47 U.S.C. § 227(b)(1)(A)(iii) bars using an automatic telephone dialing system (ATDS) to make any call to a cellular telephone number without prior express consent. The word "text" doesn't appear in the 1991 statute because consumer SMS barely existed. The FCC closed that gap in 2003, ruling that text messages to cell phones are calls under the statute [1].
Courts backed that reading. In Satterfield v. Simon & Schuster (9th Cir. 2009), the Ninth Circuit held that a text message is a "call" under the TCPA [10]. The Third, Seventh, and Eleventh Circuits reached the same result in later cases.
The Supreme Court's 2021 Facebook v. Duguid decision narrowed the definition of an ATDS, holding that a system must have the capacity to store or produce numbers "using a random or sequential number generator" [3]. That knocked out some lawsuits. It did not end TCPA liability for texts. Campaigns that send pre-loaded contact lists through a platform with autodialing capability still carry real exposure, and the FCC's one-to-one consent rule (effective January 2025) sharpened the consent requirements that apply no matter how the ATDS question shakes out [4].
What counts as an "automatic telephone dialing system" for texts?
After Facebook v. Duguid (2021), an ATDS is a system that stores or produces telephone numbers to be called using a random or sequential number generator [3]. A platform that only dials from a pre-uploaded list of specific numbers, with no randomization, might not qualify under that standard.
That sounds like an escape hatch. It's a narrow one.
Many commercial texting platforms use sequential or random number functionality somewhere in their code, and plaintiffs' lawyers dig for it in discovery. The FCC can also revisit its rules, and pending proceedings could widen the ATDS definition. Even if your system isn't an ATDS, you still face the TCPA's separate ban on texting numbers on the National Do Not Call Registry, plus the TSR and state laws.
If you're using any bulk SMS platform to send marketing texts, assume the TCPA applies to your campaign. The cost of being wrong is too steep to bet on a technicality.
The same ATDS analysis applies to voice calls. See our guide on cold calling rules for how the definition plays out on the phone side.
What consent is required before sending marketing texts?
Marketing texts need the highest form of consent the TCPA recognizes: prior express written consent. Anything less than a signed, specific, written opt-in is a defense that falls apart in court.
Prior express written consent is required for any telemarketing text sent to a cell phone using an ATDS. The FCC's 2012 rule amendment (Report and Order, FCC 12-21) defined it as an agreement that (1) is in writing (electronic form counts), (2) bears the signature of the person called (electronic signatures count), (3) clearly authorizes the seller to deliver advertisements or telemarketing messages using an ATDS, and (4) discloses that agreeing is not a condition of purchase [5].
The FCC's one-to-one consent rule, effective January 2025, added a requirement: the written consent must name the specific seller sending the messages, not blanket consent to receive texts from any partner of a lead generator. If you bought a list and the opt-in language said "receive offers from our partners," that consent almost certainly fails the new standard [4].
What doesn't count as consent:
- A pre-ticked checkbox at purchase (no affirmative agreement)
- A privacy policy buried in terms of service with no active agreement
- An oral agreement (oral consent can authorize informational texts but not marketing texts, which need written consent)
- Consent obtained by a different company than the one sending the text
For how consent flows work in practice, the consent and opt-in section has more detail.
One practical note: document every consent with a timestamp, the exact language the consumer saw, the IP address or device identifier, and the specific seller named in the disclosure. You will need all of it in litigation.
How much can a spam text actually cost you per message?
The TCPA sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations [6]. Each text to each recipient is a separate violation. There is no cap.
Those numbers look small for a single text. They are ruinous at scale.
A campaign that sends 100,000 texts without proper consent creates up to $50 million in exposure at $500 per text, or $150 million if the violations are deemed willful. TCPA class actions settle in the eight figures with regularity. Papa John's settled a TCPA text case for $16.5 million in 2013. Rite Aid settled a text case for $20.9 million. Capital One resolved a combined calls-and-texts TCPA case for $75.5 million in 2014 [7].
The FTC can separately seek civil penalties up to $51,744 per violation under the TSR, a ceiling the agency adjusts for inflation under the Federal Civil Penalties Inflation Adjustment Act [2].
State law piles on. Florida's FTSA provides $500 per call or text for a first violation and up to $1,500 for each later one, with no requirement to show harm, mirroring the TCPA structure but reaching a broader set of calling technologies [8].
See the penalties and lawsuits section for how courts calculate these damages in class actions.
What penalty amounts look like across major violation types
Per-violation exposure runs from $500 under the TCPA to $51,744 under the TSR, and the difference is mostly about who sues you. The table below compares the four frameworks that cover spam texts. All figures come from the statutes or agency guidance cited in this article.
| Framework | Per-violation amount | Willful/knowing multiplier | Who can sue |
|---|---|---|---|
| TCPA (federal) | $500 | Up to $1,500 | Private plaintiffs, class actions |
| FTC Telemarketing Sales Rule | Up to $51,744 | No multiplier; civil penalty | FTC only (no private right of action) |
| Florida FTSA | $500 (first offense) | Up to $1,500 (subsequent) | Private plaintiffs, class actions |
| Texas BCC § 305.053 | $500 per call/text | Up to $1,500 willful | Private plaintiffs |
The TSR's high ceiling ($51,744 per violation as of the current inflation adjustment) is an FTC-only tool. You aren't fighting a class of consumers, you're fighting the federal government. Different, not safer. The TCPA's private right of action drives most lawsuits because any recipient can file without proving actual damages. That single feature is why plaintiffs' firms build entire practices around text campaigns.
Does the Do Not Call Registry cover text messages?
Yes, with some nuance. The National Do Not Call Registry, maintained by the FTC under 16 C.F.R. Part 310.4(b)(1)(iii), bars telemarketing calls (including texts that are part of a telemarketing campaign) to registered numbers [2]. Consumers who register their cell numbers are protected from unsolicited commercial texts the same way they are from unsolicited voice calls.
The TCPA separately bars sending texts to numbers on the DNC Registry through its residential-line protections, which the FCC extended by rule to cell phones.
Before any text campaign, scrub your list against the National DNC Registry. The FTC charges telemarketers to access it: the first area code is free, then it runs roughly $70 per area code per year under recent fee schedules, with a full national list around $18,000 per year. Those numbers change, so check the FTC's current fee page [11].
The DNC list guide walks through the scrubbing process step by step.
One gap matters. The DNC Registry doesn't stop texts from companies where the consumer has an established business relationship (EBR). If a customer bought from you in the last 18 months or made an inquiry in the last 3 months, you have an EBR that gives you a defense for voice calls. Texts are tighter: marketing texts need written consent regardless of any EBR, so the EBR alone won't save a marketing text.
Are B2B text messages exempt from TCPA rules?
Mostly no, and this trips up a lot of B2B sales teams. The TCPA's cell phone provisions apply to the number called, not the reason for the call.
A sales rep's cell phone is a cell phone whether they use it for work or family. Texting a prospect's cell number with a marketing message without consent violates the TCPA even when the content is purely B2B.
The FTC's TSR does have a partial B2B exemption: calls between two businesses are generally exempt from the TSR's core provisions, including the DNC requirements, when neither party is a consumer [2]. That exemption covers the TSR, not the TCPA. If the destination is a cell phone, the TCPA still applies.
The FTC's position on B2B calls and the TSR's exemptions runs deeper in this guide on the FTC Telemarketing Sales Rule and B2B calls.
Practical guidance: if you're texting a business contact's personal cell number, get written consent before you send marketing messages. Texting a business's dedicated text line (a POTS line or a landline that also receives SMS) puts you on different legal ground, but most working business lines are cell-forwarded now, so the safe assumption is that cell rules apply.
What time-of-day rules apply to marketing texts?
The TCPA and FCC rules bar telemarketing calls and texts before 8 a.m. or after 9 p.m. in the recipient's local time [1]. The recipient's local time, not yours. That distinction is where campaigns get burned.
A company texting from New York at 8 p.m. ET is fine for a recipient in Los Angeles, where it's 5 p.m. Send that same batch to a Puerto Rico number and it's already 8 p.m. Atlantic time, one hour ahead, closer to the edge. Multiply that across a national list and one mistimed send becomes hundreds of violations.
The FTC's TSR sets the same 8 a.m. to 9 p.m. local-time window for telemarketing contacts [2]. The full breakdown of those hours and how to set up your platform is in the TCPA quiet hours guide.
Most commercial SMS platforms let you set sending windows by time zone. Use that feature. Sending outside the window is a per-message violation that stacks on top of any consent problems you already have.
How do opt-out requests work for text message marketing?
A consumer can revoke consent at any time using any reasonable method, and you have to honor it fast. The FCC's 2024 order on consent revocation (FCC 24-113, adopted October 2024) formalized this, confirming that consumers can revoke by any reasonable means and senders must stop promptly [9].
For texts, industry practice and FCC guidance treat standard opt-out keywords (STOP, QUIT, CANCEL, UNSUBSCRIBE, END) as clear revocations. If a recipient replies STOP, you stop. One more marketing text after a STOP reply is a knowing violation, which means $1,500 in statutory damages for that single message.
The 2024 order also lets senders send one final confirmatory text acknowledging the opt-out, but that message cannot carry any marketing content [9].
Process opt-outs in seconds, not hours. Automate it at the platform level. Log every opt-out with a timestamp. If your platform doesn't suppress future messages to opted-out numbers automatically, get a different platform.
What are the biggest compliance mistakes text marketers make?
From public TCPA litigation records, a handful of mistakes repeat over and over.
Buying contact lists and assuming the consent transfers. It doesn't. Under the FCC's 2025 one-to-one consent rule, consent has to name your company [4]. A list aggregator's blanket opt-in language almost never clears that bar. This is the single most common source of mass-litigation exposure right now.
Not honoring opt-outs across all campaigns. A consumer who opts out of one message type (say, promotional texts) has, in many courts, been found to have opted out of all marketing texts from that sender. Separate opt-out lists for separate campaigns leave gaps that plaintiffs exploit.
Relying on oral consent for marketing texts. The TCPA requires written (including electronic) consent for autodialed marketing texts. A verbal yes on a sales call is not enough.
Missing time zone logic in bulk sends. One batch scheduled for 8 a.m. in the sender's zone can fire at 5 a.m. in a recipient's zone, spawning hundreds or thousands of per-message violations from one campaign.
No consent documentation. Consent is an affirmative defense. If you can't produce the record, you don't have the defense. Once a plaintiff shows they received a text, courts shift the burden to the sender to prove consent existed.
If your team wants a quick audit of current practices, LeadCompliant's free TCPA compliance checklist covers the consent documentation, opt-out, and list-scrubbing steps most teams miss.
What should a TCPA-compliant text marketing program actually look like?
A compliant program starts and ends with proof: consent you can show, opt-outs you honor system-wide, and a send window keyed to each recipient's clock. Everything else builds on those.
Start with the consent language. The opt-in disclosure needs to name your company specifically, say you will send marketing texts via autodialer, state the approximate message frequency, disclose that message and data rates may apply, and remind the consumer they can reply STOP to opt out and HELP for help. All of that before the consumer hits submit [5].
Capture and store the consent record. Log the timestamp, the IP address, the exact consent language the consumer saw, and the specific number they used. Keep that data for at least 4 years (the TCPA's statute of limitations is 4 years under 28 U.S.C. § 1658).
Scrub your list before every send. Run the numbers against the National DNC Registry, your internal opt-out list, and any state DNC lists (California, Colorado, and Indiana each keep their own).
Configure your platform for compliant hours. Set your send window to 8 a.m. to 9 p.m. in each recipient's local time zone. If your platform can't do this automatically, you have the wrong platform.
Automate opt-out processing. STOP keywords must suppress the number immediately and across every campaign, more than the one it arrived in.
For teams running text and voice together, the AI cold calling guide covers how the same consent rules apply when AI systems send voice messages, which the FCC treats much like texts.
LeadCompliant's one-time compliance kit includes the consent language templates, opt-out automation checklist, and list-scrubbing workflow documentation that most small teams spend weeks building from scratch.
Can a company face criminal charges for spam texts, or is it only civil?
The TCPA is primarily a civil statute. For an ordinary marketing team that got sloppy with consent, the risk is civil, not criminal. Private plaintiffs and state attorneys general bring civil actions, and the FCC can issue forfeitures. Criminal exposure under the TCPA itself is rare, usually reserved for fraud-adjacent conduct.
Spam text campaigns that involve fraud, identity theft, or wire fraud can trigger federal criminal charges under 18 U.S.C. § 1343 (wire fraud) or the CAN-SPAM Act (which governs commercial email but touches some commercial electronic messaging). The FTC and DOJ have pursued criminal referrals in cases involving scam texts impersonating government agencies or banks.
For a legitimate business running aggressive but honest text campaigns, the real exposure is civil: class action litigation, FTC civil penalties under the TSR, and state attorney general actions. Those are punishing enough on their own. Criminal prosecution isn't the typical outcome for a marketing team that mishandled consent, but it stops being hypothetical the moment the conduct turns deceptive.
The what the Telemarketing Sales Rule is designed to do guide covers the TSR's enforcement mechanisms, including how the FTC decides when to bring civil penalty actions.
Frequently asked questions
Do TCPA rules apply to texts sent from a regular cell phone, not a platform?
Probably not the same way. The TCPA's autodialer restriction applies to an automatic telephone dialing system. A person manually typing and sending individual texts from their own phone almost certainly isn't using an ATDS. But if you're sending bulk texts through a platform interface that queues and sends at scale, that's closer to ATDS territory. The Do Not Call and consent rules still apply regardless of the sending method if the text is commercial.
Is there a minimum number of texts before the TCPA kicks in?
No. The TCPA applies to each individual text. One unsolicited marketing text to a cell phone without prior express written consent is one violation and $500 in potential statutory damages. There's no de minimis threshold. Courts have certified class actions over single-text campaigns that went to thousands of people, and individual plaintiffs have won over single unwanted texts.
Does CAN-SPAM apply to marketing text messages?
CAN-SPAM (15 U.S.C. § 7701) covers commercial electronic mail messages. The FTC's position is that it generally does not apply to SMS, though some commercial MMS messages with email-like headers create edge cases. For texts, the TCPA and TSR are the primary federal frameworks. Don't treat CAN-SPAM compliance as a defense to a TCPA claim about texts.
What is "prior express written consent" exactly, and does a checkbox count?
Under the FCC's 2012 rules, prior express written consent for marketing texts requires a written agreement (electronic is fine), a signature (electronic is fine), a clear authorization to receive autodialed marketing texts, and disclosure that consent isn't required to buy anything. A pre-checked checkbox likely fails the affirmative agreement standard. An unchecked, clearly labeled checkbox the consumer actively checks is generally sufficient if the disclosure language is complete.
How long do I have to honor a STOP opt-out request?
The FCC's 2024 consent revocation order requires opt-out requests to be honored within a commercially reasonable time. For texts with automated STOP processing, commercially reasonable means immediately or within minutes. A platform that batches opt-out processing daily or weekly creates exposure: any marketing text sent to an opted-out number after the revocation is a separate knowing violation worth up to $1,500.
Can I text someone who gave me their number verbally?
For informational texts (appointment reminders, delivery notifications, two-factor authentication), an oral or implied agreement may be enough. For marketing texts sent via an autodialer, the TCPA requires prior express written consent. A number given verbally in a sales call, or written on a paper form without a compliant consent disclosure, does not satisfy the written-consent standard for marketing messages.
Does the FTC's Telemarketing Sales Rule cover texting to cell phones?
Yes. The TSR covers telemarketing calls, and the FTC treats texts sent as part of a telemarketing campaign as covered calls. The TSR's DNC restrictions, calling hours rules, and deceptive practice prohibitions all apply to commercial text campaigns. The TSR doesn't create a private right of action (only the FTC can sue under it), but civil penalties can reach $51,744 per violation under current inflation adjustments.
Are political text messages exempt from TCPA rules?
Partially. Political texts are generally exempt from the TSR because they aren't selling goods or services. Under the TCPA, political texts to cell phones using an ATDS still require prior express consent because the cell phone provision doesn't carve out political speech. The law here is genuinely contested, and some campaigns have raised First Amendment defenses, but most federal courts have applied the TCPA to political texts.
What states have their own laws that go beyond federal TCPA rules for texts?
Several states enacted telemarketing or telephone solicitation statutes that cover texts and sometimes run stricter than the TCPA. Florida's FTSA (Fla. Stat. § 501.059), Texas Business & Commerce Code § 305.053, Oklahoma's Telephone Solicitation Act (2022), and Washington's Commercial Electronic Mail Act are the most frequently litigated. State laws can add remedies, apply different consent standards, or define covered technology more broadly.
What happens if I bought a list and the numbers had opt-in consent to a different company?
Under the FCC's January 2025 one-to-one consent rule, consent given to a lead generator or list aggregator doesn't transfer to you unless it specifically named your company. List-bought consent is one of the most dangerous practices in text marketing right now because the consent records rarely hold up in litigation. If you bought a list, assume you need to get your own consent before sending marketing texts.
How does a TCPA class action for spam texts actually start?
Usually one recipient who got an unwanted text contacts a plaintiffs' attorney, who investigates whether the sender used an ATDS, had proper consent, and has identifiable class members (other people who got the same texts). If those pieces line up, the attorney files a class action seeking damages for the whole class. The case is expensive to defend even when you win, which is why most settle. Text campaigns hitting 50,000 or more recipients routinely settle for seven to eight figures.
Is there a safe harbor for good-faith TCPA compliance mistakes?
The TCPA has a limited safe harbor for calls made in error when the sender has implemented reasonable practices and procedures, kept an internal do-not-call list, trained personnel, and honored previous opt-outs. This defense applies to some DNC violations but not to the core ban on texting without prior express written consent. Courts have been skeptical of good-faith defenses when the sender had no consent documentation at all.
Do transactional or informational texts have different rules than marketing texts?
Yes. Purely informational texts (shipping notifications, account alerts, appointment reminders) with no marketing content require prior express consent, but not necessarily written consent. The written-consent requirement applies specifically to telemarketing texts. The line can be thin: a shipping confirmation that also tacks on a promotional offer becomes a marketing text, and the stricter consent standard applies.
What's the statute of limitations for a TCPA text message claim?
Four years, under the general federal statute of limitations at 28 U.S.C. § 1658. The clock starts when the violation occurs, meaning when the text was sent. For ongoing campaigns, the limitations period runs separately for each text, so a campaign running two years can carry violations across the full four-year window if the plaintiff files promptly.
Sources
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR covers commercial texts in telemarketing campaigns; DNC Registry; B2B exemption; civil penalties up to $51,744 per violation
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition requires capacity to store or produce numbers using a random or sequential number generator
- 47 U.S.C. § 227(b)(3), Telephone Consumer Protection Act: $500 statutory damages per violation; up to $1,500 for willful or knowing violations; no cap on total damages
- FTC enforcement records and public TCPA settlement filings: TCPA class action settlements: Papa John's $16.5 million (2013), Rite Aid $20.9 million, Capital One $75.5 million (2014)
- Florida Statutes § 501.059, Florida Telephone Solicitation Act (FTSA): Florida FTSA provides $500 per violation for first offense, up to $1,500 for subsequent violations; private right of action
- Ninth Circuit Court of Appeals, Satterfield v. Simon & Schuster, Inc., 569 F.3d 946 (9th Cir. 2009): Text messages constitute 'calls' under the TCPA; TCPA applies to commercial text message campaigns
- FTC, National Do Not Call Registry, fee schedule and access information: DNC Registry covers commercial texts as part of telemarketing campaigns; access fees charged per area code
- Texas Business & Commerce Code § 305.053: Texas state law provides $500 to $1,500 per unsolicited commercial text; private right of action for recipients