SMS marketing compliance best practices under TCPA

TCPA violations cost $500, $1,500 per text. This guide covers every SMS compliance rule you need, consent, opt-outs, timing, and record-keeping.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-10

Compliance professional reviewing SMS marketing opt-in forms at a desk
Compliance professional reviewing SMS marketing opt-in forms at a desk

TL;DR

TCPA requires prior express written consent before you send a marketing text, a clear opt-out in every message, and records that prove the consent existed. Violations cost $500 per text for negligent sends and $1,500 for willful ones. These best practices cover consent capture, opt-out handling, record-keeping, send windows, and the FCC rules every SMS marketer follows.

What does TCPA actually require for SMS marketing?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, bars sending automated or prerecorded text messages to a cell phone without the recipient's prior express written consent. [1] Everything else flows from that one rule.

Informational texts sit in a lighter category. A shipping update or an appointment reminder needs only prior express consent. Marketing messages need more. The FCC requires prior express written consent, and the word "written" carries weight. A verbal yes on a phone call does not clear the bar for a marketing text.

The statute says prior express written consent must include "a clear and conspicuous disclosure" that the person is authorizing the seller to send autodialed marketing messages and that consent is not a condition of buying anything. [1] That language has to sit somewhere the consumer can read it before they check the box or type their number.

The FCC's rules under 47 C.F.R. § 64.1200 fill in the mechanics: consent must be in writing (electronic counts), must be signed by the consumer (an electronic signature or checkbox action qualifies), and must name the seller sending the messages. [2] Generic consent naming some unnamed future advertiser is not valid, a point the FCC drove home in its 2023 one-to-one consent rule. [3]

For a full breakdown of how the statute works, the tcpa overview is a good starting point.

Prior express written consent is a signed, written agreement from a consumer that clearly discloses they are agreeing to receive autodialed marketing texts from a specific company, and that their consent is not required to buy anything. [1] Miss any piece of that and the consent is not valid.

Capturing it right is where most small teams slip. Four things have to be true at the moment someone opts in:

1. The disclosure is visible before the consumer acts. Not buried in a linked terms page. Not in a footnote below the submit button. The words are on the screen, readable, before the person submits. 2. The consent names your company specifically. After the FCC's December 2023 order, a lead-gen form that routes consent to multiple unnamed advertisers no longer satisfies the standard. [3] 3. There is a clear statement that consent is not a condition of purchase. That phrase, or something functionally identical, has to appear. 4. A signature exists. A checkbox pre-checked by default does not count. The consumer has to take an affirmative act.

A compliant opt-in form collects the phone number, shows the disclosure above or right next to the opt-in button, requires an affirmative checkbox or button press, and records a timestamp and IP address the moment the person submits. See how to build one in the SMS opt-in form: what it must say and how to build one guide.

Double opt-in, where you send a confirmation text and require a keyword reply like YES, is not required by federal law. But it creates a second timestamped record that proves the number is reachable and that the consumer actually held the phone. That second record has won cases. The sms double opt-in article covers the mechanics.

What are the TCPA penalties for non-compliant SMS messages?

Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per text sent without proper consent, and $1,500 per text if the court finds the violation was willful or knowing. [1] No cap is written into the statute for class actions. That absence is the whole problem.

The math turns ugly fast. Send 10,000 promotional texts to a list with defective consent and you are staring at $5 million at the $500 rate, $15 million at the $1,500 rate. Courts have certified TCPA class actions on exactly those facts.

A couple of real settlements put the numbers in context. Dish Network settled a TCPA case for $6 million in 2021. Volkswagen of America settled for $1.4 million in 2017 over marketing texts to a class of consumers. The FCC has separately handed down civil forfeitures in the tens of millions against voice robocallers, though most SMS exposure comes through private plaintiff lawsuits, not agency action. [4]

For how these lawsuits actually play out, tcpa sms compliance covers the litigation patterns.

Some states stack their own damages on top of federal exposure. Florida's Telephone Solicitation Act and Washington's Commercial Electronic Mail Act each add per-message penalties. State law gets its own section below.

TCPA SMS violation exposure at a glance Key numbers every SMS marketer needs to know 500 $500 per text 1,500 $1,500 per willful violation 4 4-year consent record reten… minimum 13 8am–9pm local time send window Source: 47 U.S.C. § 227; FCC 47 C.F.R. § 64.1200; 28 U.S.C. § 1658

What opt-out rules must every marketing text include?

Every marketing text needs a clear, easy way to opt out. The FCC rules at 47 C.F.R. § 64.1200(d) require an opt-out mechanism that works immediately for any automated messaging program. [2] No delays, no hoops.

The industry standard, and what the major carriers enforce through their messaging guidelines, is STOP language in every message or at minimum in the first message of a thread. "Reply STOP to opt out" is not required word-for-word, but it is the phrasing every major aggregator and carrier expects, and it is the safest bet.

When someone sends STOP (or UNSUBSCRIBE, CANCEL, QUIT, END, or STOPALL), you honor it immediately. The carrier ecosystem treats those words as universal opt-out signals. Send another marketing message after a STOP and you have a violation. Courts have shown little patience for companies blaming a technical glitch.

Honor opt-outs from other channels too. If someone emails you and says "stop texting me," you cannot keep texting them just because they never sent STOP over SMS. The FCC treats revocation as revocation, whatever the channel.

One nuance trips people up. A transactional thread (order shipping updates) and a separate promotional program are technically different consent tracks. A STOP to your promotional program does not automatically end transactional alerts the person consented to separately. But that distinction only holds if you have clean program separation and documentation. Try to thread that needle without clean records and you have handed a plaintiff an argument.

When can you legally send marketing texts: time-of-day rules?

47 U.S.C. § 227 and the FCC's rules limit calls and texts to between 8 a.m. and 9 p.m. local time at the recipient's location. [1] The recipient's time zone, not yours. That single fact catches more teams off guard than any other.

Picture a batch send scheduled from the East Coast. A 9:15 p.m. ET send hits a California number at 6:15 p.m. Pacific, fine, and a Hawaii number at 3:15 p.m., also fine. The one that breaks the rule runs the other direction: a 7:45 a.m. ET send lands on an East Coast number at 7:45 a.m., before the 8:00 a.m. cutoff.

You have two clean options. Know the time zone of every number and schedule around it, or send only in a window that is safe in every U.S. time zone at once (8 a.m. Hawaii through 9 p.m. Eastern, roughly 2 p.m. to 9 p.m. ET if your list includes Hawaii numbers). Most small teams find the first option more practical once they segment by geography.

Some states run tighter windows. Florida's Telephone Solicitation Act bars calls or texts before 8 a.m. or after 8 p.m. local time, not 9 p.m. [5] When state law is stricter than federal, you follow state law for contacts in that state.

Consent records are your entire defense. If a plaintiff says "I never gave consent" and you cannot produce a record showing exactly when and how they opted in, you lose. In most TCPA cases the burden of proving consent sits on the sender.

Here is what a complete consent record holds:

  • Timestamp of the opt-in (UTC or a clearly stated time zone)
  • IP address of the submitting device
  • The exact URL or screen where consent was captured
  • A screenshot or archived version of the form as it appeared at opt-in, disclosure text included
  • The source or campaign that drove the opt-in
  • The phone number as entered

An email address and a "subscribed" flag in your CRM is not enough. Litigants ask for the disclosure language that appeared at opt-in. If you cannot produce it, you have a problem.

On retention: there is no single federal rule, but a four-year statute of limitations applies to TCPA claims under 28 U.S.C. § 1658. [6] Keep consent records at least four years from the date of the last message sent to that number. Some teams hold them five or six years for a buffer.

Buying leads from a third party raises the bar. You need the actual opt-in record: timestamp, source URL, disclosure language. A vendor saying "all our leads are TCPA compliant" is not a record. It is a sentence. Courts have not accepted it as a defense.

On December 13, 2023, the FCC adopted a Report and Order requiring consent for marketing calls and texts to be obtained one-to-one: one consumer, one specifically named seller. [3] The rule was set to take effect January 27, 2025, but the Eleventh Circuit vacated and remanded it to the FCC in January 2025 for further proceedings. [7]

As of mid-2026 the implementation timeline is unsettled, but the direction is not. Lead-gen forms that collect a phone number and route it to multiple unnamed advertisers under one blanket consent are the FCC's stated target. If your business runs on that model, as a lead buyer or a lead-gen publisher, you are living in a window that is closing.

Buying leads from comparison sites, aggregators, or co-registration forms? Audit your lead sources now. Can the vendor produce a one-to-one opt-in record that names your company specifically? If not, the risk on those leads just went up.

Running your own opt-in forms? The one-to-one rule is easy to meet: your form names your company and collects consent for your texts. That was already best practice. Nothing changes for you.

Track how the order evolves through tcpa news today.

What are the carrier and 10DLC registration requirements for business texting?

Since 2021, the major U.S. carriers (AT&T, T-Mobile, Verizon) require businesses sending texts over 10-digit long codes (10DLC) to register their brand and campaign through The Campaign Registry (TCR). [8] This is not a federal law the way TCPA is. But carriers filter or block messages from unregistered numbers, so in practice it is not optional.

Registration has two parts. Brand registration establishes who your company is (EIN, business name, address). Campaign registration describes what your texts do (promotions, alerts) and asks you to supply sample message content and confirm your opt-in and opt-out procedures. There is a one-time brand registration fee (roughly $4 to $5) and a monthly campaign fee (typically $10 to $15 per campaign per month), though the numbers vary by provider and shift periodically. [8]

Unregistered 10DLC traffic gets heavy filtering. Some carriers block it outright. If your messages are not reaching recipients, unregistered 10DLC is often the reason.

Short codes (5 or 6 digit numbers) run a separate, pricier provisioning process built for higher-volume senders. Toll-free numbers need verification through the toll-free registry before carriers treat them as trusted. On a platform like Twilio, these registrations happen in the console. The Twilio TCPA compliance: what you actually need to do guide walks through it.

Keep the two straight: 10DLC registration and TCPA compliance are separate obligations. Registering your campaign says nothing about whether your consent practices hold up. Both have to be in order.

How do state SMS marketing laws affect your compliance program?

TCPA sets a federal floor. States can build higher, and several have.

Florida (FTSA): Florida's Telephone Solicitation Act, amended in 2021, created a private right of action for unsolicited texts sent using an "automated system." Florida courts read it broadly at first, but a 2023 amendment pulled the "automated system" definition back toward the federal ATDS standard after a wave of litigation. Florida is still one of the busiest TCPA-adjacent litigation states. [5]

Washington: Washington's Commercial Electronic Mail Act and its Consumer Protection Act both touch SMS marketing. The state has seen class action filings over commercial texts.

California (CPRA): Not primarily a telemarketing statute, but the California Privacy Rights Act requires you to disclose the categories of personal information you collect (phone numbers included), who you share it with, and to honor requests to delete or opt out of the sale of that information. Collect leads in California and CPRA runs alongside TCPA as a parallel obligation. [9]

Texas and Oklahoma have their own telephone solicitation statutes with their own registration and restriction rules.

The upshot: if you send nationally, your baseline is TCPA plus the stricter state rules for wherever your recipients sit. Federal compliance alone does not cover you. For a closer look at state variation, lead generation compliance news tracks recent developments.

StateKey additional ruleEffective
FloridaPrivate right of action for automated texts; 8am, 8pm window2021, amended 2023
CaliforniaCPRA privacy rights layer on top of TCPA2023
WashingtonCPA intersection; active plaintiff barOngoing
OklahomaRegistration requirement for telephone solicitorsActive

What should a compliant SMS opt-in disclosure actually say?

This is where people go wrong, copying someone else's form without knowing what the language is doing. Here is what a compliant disclosure has to accomplish, in plain terms, before any legalese:

1. Tell the consumer they are agreeing to receive marketing texts from your company. 2. Tell them the frequency (at least an estimate: "up to 4 messages per month" or "message frequency varies"). 3. Tell them message and data rates may apply. 4. Tell them how to opt out. 5. Link to your terms of service and privacy policy. 6. State clearly that consent is not required to make a purchase.

Here is language that covers those bases: "By submitting your number, you agree to receive marketing text messages from [Company Name] at the number provided. Message frequency varies. Message and data rates may apply. Reply STOP to opt out. Consent is not a condition of purchase. View our Privacy Policy and Terms."

Short enough. The catch is placement. That text has to sit directly above or below the phone number field and above the submit button. Not on a separate page. Not behind a "see terms" link. On the same screen, readable, before the person acts.

For specific verticals, the opt-in SMS marketing: the complete compliance guide article has disclosure templates for common use cases. The sms opt-in guide covers the structural requirements in more detail.

LeadCompliant has a free checklist tool that walks you through whether a specific opt-in form hits all the required elements. Run your current form through it before your next campaign.

What records and processes should a small team have in place to reduce TCPA risk?

You do not need a compliance department. You need a handful of non-negotiable processes and the discipline to run them before every campaign.

Before any send:

  • Confirm every number on the list has a consent record you can actually retrieve.
  • Scrub against the National Do Not Call Registry if the message could count as a solicitation. [10] Residential numbers on the DNC Registry need their own analysis (TCPA and DNC are separate but overlapping regimes).
  • Confirm the campaign is 10DLC registered under the right campaign type.
  • Check that the send lands inside 8 a.m. to 9 p.m. local time for every recipient time zone.

In every message:

  • Include your company name or identifier so the recipient knows who is texting.
  • Include opt-out instructions (STOP).
  • Never make consent to receive texts a condition of any purchase or service.

After any opt-out:

  • Pull the number from your active list within seconds, or at most within one business day.
  • Log the opt-out with a timestamp.
  • Do not re-add that number to a marketing list without fresh, documented consent.

Ongoing:

  • Audit your consent record storage quarterly. Make sure you could produce records for every number on your active list.
  • Review lead vendors annually. Their consent practices change without a heads-up.

Some verticals carry their own quirks. Real estate teams, for example, run into problems with leads from aggregator portals. The real estate text message marketing guide covers those.

LeadCompliant's one-time compliance kit includes a consent record template, an opt-in disclosure checklist, and a DNC scrub workflow built for small teams. It is linked at the end of this article if you want the full package.

How do text message marketing platforms handle TCPA compliance, and does using one protect you?

A common misconception, worth killing directly: a compliant platform does not make your campaign compliant. Platforms handle the technical delivery layer. Consent is yours to own.

Good text message marketing software manages opt-out keywords automatically, suppresses STOP responders from future sends, handles 10DLC registration, and gives you message logs with timestamps. Those are table stakes for any serious platform.

What it cannot do: validate that your opt-in form language is legally sufficient, verify that a lead source actually captured consent, or confirm your disclosure appeared correctly when a consumer signed up.

Some platforms offer consent verification features or hooks into consent management tools. Those help. But they are only as good as the data you feed them. If your opt-in form was missing disclosure language for the last six months and you logged those sign-ups as consented, the platform timestamp is not a defense. It records the event. It does not make the event legally sufficient.

The short version: a platform handles delivery integrity. You own consent integrity. Both matter, and neither substitutes for the other. For a broader look at what platforms do and what they leave to you, the marketing text message service article covers the landscape.

Frequently asked questions

Yes. Existing customers still need prior express written consent for marketing texts, under the FCC's rules implementing 47 U.S.C. § 227. An existing business relationship does not satisfy the written consent requirement on its own. You need a documented opt-in with the required disclosure language, even if the person has bought from you before.

Can I text someone who gave me their number on a physical business card?

No, not for marketing messages. A business card is not written consent under TCPA. The person handed you a number for contact, not for automated marketing texts. You would need them to complete a formal opt-in with the required disclosure and affirmative acknowledgment before you send any promotional SMS.

What is the statute of limitations on TCPA SMS claims?

Four years. Federal TCPA claims fall under the general federal four-year statute of limitations at 28 U.S.C. § 1658. Some state-law TCPA-adjacent claims carry different limitations periods. This is why consent records should be kept at least four years after the last message sent to any given number.

Does the National Do Not Call Registry apply to text messages?

The DNC Registry's primary reach is telephone solicitations (voice calls), but the FCC and courts have extended its logic to text messages in some contexts. More directly, TCPA's consent requirements apply to text messages on their own terms. DNC scrubbing and TCPA consent are separate obligations, and both apply to outbound SMS marketing aimed at consumers.

How long do I have to honor an opt-out request after someone replies STOP?

Immediately, in practice. The FCC requires opt-out requests to be honored promptly. Carrier guidelines generally expect STOP responses to suppress future messages within seconds. There is no statutory grace period. Sending another marketing message to a STOP responder, even one, is a clear violation, and plaintiffs' attorneys specifically hunt for this pattern.

Is SMS double opt-in required by law?

No federal law requires double opt-in for SMS. But it creates a second timestamped, carrier-confirmed consent record proving the consumer controlled that phone. In litigation, that record earns its keep. Many compliance professionals recommend double opt-in for marketing campaigns even though it is optional, because the protection outweighs the small hit to conversion rate.

Can I send texts to numbers I purchased from a lead vendor?

Only if the vendor can produce a valid prior express written consent record that names your company specifically, includes the required disclosure language, and carries a timestamp and source URL. A vendor certificate saying leads are TCPA compliant is not enough. Since the FCC's one-to-one consent rule, blanket multi-advertiser consent for purchased leads is no longer valid.

What is the TCPA rule on text message send times?

You cannot send marketing texts before 8 a.m. or after 9 p.m. local time at the recipient's location, under 47 U.S.C. § 227 and its implementing regulations. Some states are stricter: Florida caps calls and texts at 8 a.m. to 8 p.m. When sending nationally, you need each recipient's time zone and you schedule around it.

Does TCPA apply to B2B SMS marketing?

TCPA applies to any text sent to a cell phone using an autodialer or prerecorded message, regardless of whether the recipient is a consumer or a business. The number matters, not the business context. Text a business owner's cell phone and TCPA applies. Some defenses and exemptions get read differently in B2B settings, but the baseline consent requirement still stands.

What counts as an autodialer (ATDS) for TCPA purposes after Facebook v. Duguid?

The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the ATDS definition: a system must use a random or sequential number generator to produce or dial numbers to qualify. A list-based dialer that simply dials from a stored list may fall outside the definition. But state laws like Florida's FTSA reach broader technology, so the practical risk has not gone away.

How do I handle TCPA compliance for texts sent through a CRM like HubSpot or Salesforce?

The platform does not change your obligations. You need valid prior express written consent before adding a number to any outbound SMS sequence, whatever tool sends it. The CRM or platform has to suppress opt-outs immediately. You are responsible for making sure your opt-in forms and consent records meet TCPA standards before you import contacts into any messaging workflow.

Are transactional texts like order confirmations exempt from TCPA consent requirements?

Transactional texts need only prior express consent, not the higher written consent standard that marketing requires. But the message has to stay genuinely informational. If a transactional message carries promotional content, upsells, or anything marketing-adjacent, the FCC treats it as marketing, and the written consent standard applies. A delivery confirmation that adds 'while you wait, check out our sale' is a marketing text.

What happens if a consumer claims they never consented, but I have a record showing they did?

Your consent record is the defense. Courts have sided with senders who can produce the opt-in timestamp, the IP address, the source URL, and the disclosure language as it appeared. Senders lose when records are incomplete, the disclosure was missing or buried, or they cannot show the consumer took an affirmative act. Record quality matters more than record existence.

Do I need to register my 10DLC number to be TCPA compliant?

10DLC registration with The Campaign Registry is a carrier requirement, not a TCPA legal one. But unregistered numbers face carrier filtering that can block your messages entirely. Separately, TCPA compliance turns on valid consent, proper opt-out handling, and correct timing regardless of registration. Both are necessary: registration keeps messages deliverable, consent practices keep you legally protected.

Sources

  1. U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits automated marketing texts without prior express written consent; statutory damages are $500 per violation and $1,500 for willful violations
  2. FCC, 47 C.F.R. § 64.1200 (Delivery Restrictions): FCC regulations require prior express written consent for marketing texts, define written consent to include electronic signatures, and require opt-out mechanisms
  3. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA restricts calls and texts to 8am–8pm local time and created a private right of action for automated texts, amended in 2023
  4. U.S. Government Publishing Office, 28 U.S.C. § 1658 (four-year statute of limitations): Four-year federal statute of limitations applies to TCPA claims, establishing the minimum record retention period for consent records
  5. U.S. Court of Appeals, Eleventh Circuit, Insurance Marketing Coalition Ltd. v. FCC, No. 24-10277 (2025): Eleventh Circuit vacated and remanded the FCC's one-to-one consent order in January 2025, creating uncertainty about implementation timeline
  6. The Campaign Registry, Brand and Campaign Registration Documentation: 10DLC requires brand and campaign registration through TCR; brand registration fee approximately $4–$5 one-time, monthly campaign fees typically $10–$15 per campaign
  7. California Privacy Protection Agency, California Privacy Rights Act (CPRA): CPRA requires disclosure of personal data collected (including phone numbers), data sharing practices, and honoring consumer deletion and opt-out-of-sale requests
  8. FTC, National Do Not Call Registry: Telemarketers must scrub against the National Do Not Call Registry; applies to telephone solicitations including certain text message solicitations

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit