Last updated 2026-07-09

TL;DR
The best SMS services for compliance automate opt-in capture, store time-stamped consent records, process STOP replies immediately, and produce audit-ready logs on demand. Platforms differ sharply on revocation handling, double opt-in, and consent proof. This guide compares what matters, what to skip, and what a TCPA suit actually costs when you get it wrong.
What does TCPA-compliant SMS consent management actually require?
TCPA-compliant SMS consent means you captured written permission, tied it to a specific phone number, timestamped it, and can pull that record on demand years later. The Telephone Consumer Protection Act, 47 U.S.C. § 227, bars automated texts to a cell phone without the recipient's "prior express written consent." [1] The FCC's rules at 47 C.F.R. § 64.1200 give that phrase teeth: the consent must be in writing (electronic counts), must clearly authorize autodialed or prerecorded messages, and must not be a condition of any purchase. [2]
So a checkbox alone gets you nowhere. You need a system that records exactly when and how consent was given, ties it to the number, and keeps it accessible when a plaintiff's attorney subpoenas your records three years later. TCPA claims run on a four-year statute of limitations under 28 U.S.C. § 1658, so your retention window has to match. [3]
Opt-outs carry the same weight. The FCC's one-to-one consent order, effective January 27, 2025, tightened the rules so consent given to one seller cannot be shared across a lead network as a blanket authorization. [4] That single change forces a lot of outbound teams to rethink bought leads entirely.
The practical floor for any compliant SMS service: collect consent through a documented touchpoint (web form, keyword reply, scanned paper form), store that record with a timestamp and IP address or inbound message metadata, process STOP replies immediately, and suppress that number forever. Anything short of that is a liability sitting on your books.
What are the actual penalties if your SMS program gets consent wrong?
TCPA statutory damages are $500 per violation and $1,500 per willful violation, with no cap per case in federal court and class actions allowed. [1] A single campaign of 50,000 texts sent without proper consent could expose you to $25 million in statutory damages on paper, and courts have certified TCPA classes at that scale.
Real settlements set the range. Facebook paid $650 million to resolve a text-message class action in 2021. Papa John's settled a text case for $16.5 million. Smaller companies face the same per-message math with none of the reserves. WebRecon's litigation tracker puts TCPA federal filings at roughly 3,000 to 4,000 per year, with text cases taking a growing share as voice calling fades. [5]
Insurance rarely bails you out. Most commercial general liability policies exclude statutory violations, and specialty TCPA coverage is expensive and hard to find for high-volume outbound teams. Prevention is cheaper than defense, and it is not close. A good compliance platform costs $300 to $3,000 per month depending on volume. TCPA defense attorneys bill $300 to $600 an hour, and a single case can eat hundreds of hours.
For a full breakdown of exposure ranges, see our guide to tcpa sms compliance.
What features should you look for in an SMS consent management platform?
Look for consent capture with full metadata, immediate opt-out processing, per-number consent export, live suppression checks at send time, and immutable audit logs. Most "SMS marketing platforms" are built for e-commerce promotional blasts where the marketing team wants speed, not evidence. Here is what separates a compliance-grade tool from a bulk sender.
Consent capture and storage. The platform should record the source of consent: the opt-in form URL, the timestamp in UTC, the submitter's IP address, and the phone number. If consent comes by keyword (someone texts JOIN to your short code), it should log the inbound message metadata. This is your evidence file, and one day it is exhibit A.
Opt-out processing speed. STOP replies must stop texts. The FCC requires opt-out requests to be honored "within a reasonable time," and the carrier-enforced industry standard is immediate suppression. Some platforms batch opt-outs overnight. That is a problem. One text after a STOP reply has landed companies in court.
Double opt-in support. Double opt-in sends a confirmation message after sign-up and activates the contact only when they reply YES. It is not required under federal TCPA rules, but it is strong evidence of consent and it kills fake sign-ups. Platforms that make it easy and auditable earn the friction.
Consent record export. You need per-number consent history on demand. In litigation you may have 30 days to produce it. If your vendor cannot export a single number's consent record, walk away.
DNC and suppression list integration. The platform should check every number against the National Do Not Call Registry and your internal opt-out list before every send, more than at import. Numbers hit the DNC list daily.
Audit logs. Every message sent, every opt-out received, every consent record created or changed should carry an immutable timestamped log. Some platforms let admins delete records. That is dangerous, because deletion can read as spoliation in litigation.
See also: sms opt in form for what the consent capture touchpoint needs to say.
How do the top SMS compliance platforms compare?
No single platform wins for everyone. Twilio flexes for engineers, the e-commerce tools nailed consent capture out of necessity, and a few mid-priced options cover most outbound sales teams. Pricing below reflects published rates as of mid-2025. Verify current pricing with the vendor directly, because this market moves fast.
| Platform | Consent recordkeeping | Double opt-in | Opt-out speed | Audit export | Starting price/mo |
|---|---|---|---|---|---|
| Twilio (self-build) | Custom (you build it) | Configurable | Immediate | Custom | ~$0 + usage |
| EZTexting | Keyword logs, form capture | Yes | Immediate | CSV export | ~$25 |
| SimpleTexting | Form + keyword logs | Yes | Immediate | CSV export | ~$39 |
| Podium | Review/web widget capture | Limited | Immediate | Limited | ~$399 |
| Attentive | E-commerce consent flows | Yes | Immediate | Yes | Custom (enterprise) |
| Klaviyo SMS | E-commerce form capture | Yes | Immediate | Yes | Usage-based |
| SlickText | Keyword + form logs | Yes | Immediate | CSV export | ~$29 |
| Salesmsg | CRM-integrated capture | Limited | Immediate | Limited | ~$25/user |
Twilio is the most flexible and the most work. You build compliant consent capture from scratch. No developer means it is the wrong choice. The e-commerce platforms (Attentive, Klaviyo) are strong on consent capture because TCPA plaintiffs hit that market hard, so the vendors built the guardrails in. For outbound sales teams, EZTexting, SimpleTexting, and SlickText hit a workable balance of features and price.
None of these replace legal counsel for your specific program. They are infrastructure, not advice. [6]
What is the difference between single opt-in and double opt-in for SMS?
Single opt-in enrolls a person the moment they submit their number. Double opt-in adds a confirmation step: you send a message like "Reply YES to confirm you want texts from Acme Corp" and enroll them only after they reply. [7] Both can satisfy TCPA. One gives you far better evidence.
Federal TCPA rules do not mandate double opt-in. The statute requires prior express written consent, and a well-documented single opt-in form can meet that bar. But double opt-in hands you two pieces of proof: the original submission and the confirmatory reply from the handset. It also weeds out fake and mistyped numbers, which cuts complaints at the source.
For high-volume programs, or any program buying leads from third parties, double opt-in is close to mandatory in practice. Lead aggregators sometimes sell lists where the "consent" hid in multi-page terms or came through deceptive flows. The FCC's 2025 one-to-one consent rule makes third-party consent hard to rely on anyway. [4] A confirmatory reply creates a fresh, first-party record that is much harder to attack.
The cost is real. Double opt-in typically drops list conversion by 20 to 40 percent depending on the channel. That is a business call, but make it knowing exactly what single opt-in leaves exposed. See our detailed breakdown at sms double opt-in.
How should your SMS opt-in form be structured to hold up in court?
A form holds up when the consent disclosure is clear and conspicuous, names your company, describes the message types, and sits right next to a submit button that is never pre-checked. The FCC's rules require written consent to clearly authorize autodialed texts, identify the sender, and avoid being a condition of purchase. [2] Courts have thrown out disclosures buried in terms-of-service links or set in 6-point gray type on a white background.
A compliant opt-in form includes the name of the sending company, the message types ("marketing offers and promotions"), an honest frequency estimate ("up to 4 messages/month"), a note that message and data rates may apply, links to your Privacy Policy and Terms, and a clear STOP instruction. The checkbox or submit button stays unchecked by default.
Your platform should capture a screenshot or static snapshot of the form as it appeared at the moment of consent, because plaintiffs love to argue the language was inadequate. Some platforms do this automatically. Many do not. If yours does not, run a change-log system so you can show a court exactly what the form said on any given date.
For compliant form language across industries, see sms opt in.
Does the FCC's 2025 one-to-one consent rule change how platforms need to work?
Yes, and the change is big. The FCC's Report and Order (FCC 23-107), adopted December 2023 and effective January 27, 2025, amended 47 C.F.R. § 64.1200 to require consent be given to one specifically identified seller at a time. [4] The old trick of a single lead-gen form disclosing "marketing partners" across dozens of companies no longer counts as written consent.
That breaks the classic lead aggregation model. Buy leads from a comparison site or a lead network, and those leads almost certainly lack consent specific to your company under the new rule. Texting them exposes you to TCPA liability even when the vendor swears they collected consent.
For platform selection, this means you need first-party consent flows where your brand is named outright. Co-registration and blanket consent forms are done. The best SMS platforms now let you white-label the consent page with your company name and product description embedded in the disclosure text, more than a generic terms checkbox.
Stay current on FCC enforcement at tcpa news today and lead generation compliance news.
What does automated consent management actually look like day to day?
Automation pulls humans out of the consent-capture and opt-out loop, because humans make mistakes under volume pressure. A well-built flow runs itself. Here is what that looks like.
A prospect fills out your web form. The platform's embed grabs the timestamp, IP, form URL, phone number, and the version of the consent disclosure shown. If you run double opt-in, it fires a confirmation message. The reply lands, the contact goes active, and the sequence starts. All of it writes to an immutable consent log.
Later the contact replies STOP. The platform catches that keyword and its variants (STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT, as the CTIA guidelines require) [8], suppresses the number immediately, logs the opt-out with a timestamp, and sends one confirmation message. Nothing else goes out. The suppression holds even if someone re-imports the number from a CRM sync.
That last point matters more than teams expect. A common source of post-opt-out texts is a rep who spots an old CRM contact and drops them into a new list by hand. Compliant platforms check every number against the suppression list at send time, not at import. Some push opt-out status back to Salesforce or HubSpot so reps cannot override it manually.
LeadCompliant's free TCPA tools include a suppression list checker you can run against a list before import, which catches this exact problem before it becomes a lawsuit.
For teams doing real estate outreach, the workflow has extra wrinkles covered in real estate text message marketing.
How much does a compliant SMS platform actually cost, and is it worth it?
Entry-level compliant platforms start at $25 to $40 per month; enterprise runs $1,000 to $5,000. Against a single TCPA case that costs six figures to defend, the platform bill is noise. Here is the real spread.
Entry-level tools with compliance features (EZTexting, SlickText, SimpleTexting) start around $25 to $40 per month for low-volume programs, with per-message fees typically $0.01 to $0.04 for outbound SMS. Mid-market platforms like Podium run $400 per month and up. Enterprise platforms like Attentive keep pricing private, but expect $1,000 to $5,000 per month for high-volume e-commerce.
Budget for registration on top of the platform. A dedicated short code through the CTIA short code registry runs $500 to $1,000 per year and suits high-volume campaigns. [9] 10DLC (10-digit long code) registration is cheaper, roughly $4 to $10 per month per brand through The Campaign Registry, with lower throughput limits. [10]
Set that against defense costs. A demand letter from a plaintiff's attorney typically seeks $1,500 per text, the willful amount. A batch of 10,000 non-consensual texts is a $15 million theoretical exposure. Even at a fraction of that, the legal fees to get to a settlement run $50,000 to $200,000. The platform cost disappears next to those numbers.
One honest caveat: paying for a compliant platform does not make your program compliant. The platform is a tool. You still need documented processes, trained staff, and legal review of your consent language. The software just makes following those processes easier and produces the records you need when someone comes after you.
Are there industry-specific compliance requirements beyond TCPA for SMS?
Yes. TCPA is the federal floor. Several industries stack extra rules on top of it.
Healthcare. HIPAA does not directly regulate marketing texts, but if your SMS program touches protected health information you need a Business Associate Agreement with your vendor and data-handling controls beyond standard marketing compliance. [11]
Financial services. The FTC's Telemarketing Sales Rule (TSR) reaches many financial product solicitations and adds disclosure and timing requirements. [12]
Real estate. The NAR and state real estate commissions publish guidance on contact with represented parties that intersects with TCPA. Some state laws (California, Florida, Oklahoma) pile state-level protections on top of the federal rules.
Restaurant and retail SMS programs sit lower on the risk scale because they usually text existing customers rather than cold prospects, but they still need compliant opt-in capture. See sample text message marketing for restaurants for practical examples.
B2B outreach trips up a lot of teams. TCPA applies to cell phones regardless of whether the number is used for business. Texting a prospect's mobile without consent because "it's a business context" is not a defense. [13] See our analysis at b2b lead generation platforms gdpr compliance for how GDPR interacts with this on international programs.
What questions should you ask an SMS vendor before signing a contract?
Skip "are you TCPA compliant?" Every vendor says yes. Ask five specific questions instead, and judge the vendor by how fast and how concretely they answer.
First, how are consent records stored, and for how long? You want per-number storage, timestamp precision, IP capture, and a minimum retention of five years (one year past the four-year statute of limitations). If they say "as long as you're a customer," ask what happens to your records when you cancel. You need portability.
Second, how are opt-outs processed? The answer should be "immediately on receipt of STOP." Ask whether opt-outs propagate to CRM integrations. Ask what happens when you import a list that already contains opted-out numbers.
Third, ask for documentation on their 10DLC or short code registration process. Carriers filter unregistered traffic hard. An unregistered campaign gets silently blocked, meaning your messages never deliver and you never find out. Worse, aggressive unregistered sending can get your account suspended.
Fourth, who owns your data if you leave? Some vendors treat your consent records as their property. That becomes a problem the day you switch platforms and need to port your suppression list.
Fifth, do they carry any contractual liability for compliance failures caused by their own platform defects? Most will not. The answer still tells you how seriously they take this.
For a deeper look at what software features to prioritize, see text message marketing software and marketing text message service.
What does a minimal viable compliance stack look like for a small outbound team?
A small team can cover the basics for under $100 per month: a compliance-grade platform, a registered 10DLC number, a documented consent process, a permanent suppression list, and a quarterly audit. Teams tend to either over-build this or ignore it. Here is the honest middle.
Start with a compliant SMS platform at $30 to $100 per month that offers keyword opt-in logging, immediate opt-out processing, and CSV export of consent records. EZTexting, SimpleTexting, and SlickText all land here. Pick on CRM integration fit.
Add a 10DLC-registered long code, roughly $4 to $10 per month through The Campaign Registry, now required by every major carrier for business texting. [10] Your platform handles registration, but you supply brand info and use case.
Build a consent capture process: a web form with compliant disclosure language, or a keyword program that delivers the disclosure in the opt-in confirmation message. Document what the form says and when you last changed it.
Run an internal suppression list. Any number that opts out, bounces as invalid, or belongs to a complainer goes on the list and never comes off. Your platform's built-in suppression handles this as long as you block CRM overrides.
Schedule a quarterly audit. Pull a sample of recent messages, trace each back to a consent record, and confirm the record exists and predates the message. Two hours of work catches drift before it turns into a filing.
LeadCompliant offers a free compliance kit with consent language templates and a pre-send checklist a small team can actually run without a dedicated compliance officer.
That is the whole stack. No $500-per-month add-on, no six-figure software suite at this scale. What you need is discipline.
Frequently asked questions
Does TCPA apply to business-to-business text messages?
Yes. TCPA applies to any text sent to a mobile number using an automatic telephone dialing system or artificial/prerecorded voice, regardless of whether the recipient uses that number for business. The FCC has consistently held that the recipient's use does not change the statutory protection. Texting a prospect's cell number without consent because the context is B2B is not a recognized defense.
Can I text someone who gave me their number on a business card?
No, not without separate SMS consent. Handing over a business card is not prior express written consent to receive automated marketing texts. The FCC requires consent specific to automated text messages, disclosing who is sending them and not conditioned on any transaction. Verbal permission or an implied okay from a card exchange does not meet that standard.
How long do I need to keep SMS consent records?
The TCPA carries a four-year statute of limitations under 28 U.S.C. § 1658. Retain consent records at least five years from the date of consent to cover that window with a buffer. Records should include the timestamp, phone number, source of consent (URL, keyword, form version), and opt-out date if any. Confirm your platform keeps records after account cancellation.
What keywords must I honor as opt-out commands for SMS?
The CTIA Messaging Principles and Best Practices list STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT as required opt-out keywords. Your platform must recognize all of them, more than STOP. Send one confirmation message after an opt-out, then send nothing further. Charging a fee or adding steps to opt out violates both CTIA guidelines and FCC rules.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC's one-to-one consent rule, adopted in FCC Report and Order 23-107 in December 2023, took effect January 27, 2025. It amended 47 C.F.R. § 64.1200 to require that prior express written consent for marketing texts identify one specific seller, not a list of partners. Lead-gen forms that bundled consent for dozens of companies in one checkbox no longer satisfy the written consent requirement.
Is double opt-in required by law for SMS marketing?
No. Federal TCPA rules do not require double opt-in. Prior express written consent can be established through a well-documented single opt-in form. But double opt-in creates a second piece of evidence, the confirmatory reply from the handset, and filters out fake numbers, making it much harder for plaintiffs to argue consent was not genuine. It is the better practice for any high-volume or third-party lead program.
What happens if my SMS platform processes an opt-out late and I send one more message?
That single post-opt-out text is a separate TCPA violation worth $500 to $1,500 in statutory damages. Courts have found liability on a single post-opt-out message. The FCC requires opt-outs be honored within a reasonable time, and carriers enforce immediate suppression as a condition of service. Pick a platform that processes STOP replies immediately on receipt, not in batch runs.
Do I need a short code or can I use a regular 10-digit number for compliance?
You can use a 10-digit long code (10DLC), but it must be registered with The Campaign Registry through your carrier. As of 2023, all major U.S. carriers require 10DLC registration for business application-to-person messaging. Unregistered traffic gets filtered or blocked. Dedicated short codes have higher throughput and register separately through the CTIA short code registry. Short codes cost $500 to $1,000 per year; 10DLC runs $4 to $10 per month.
Can I use a lead list I bought from a third party for SMS campaigns?
Only if you can verify each number on that list has prior express written consent specific to your company, not to the lead vendor or a generic partner list. After the FCC's January 2025 one-to-one consent rule, third-party lists relying on bundled or partner-network consent are almost certainly non-compliant. The practical answer for most outbound teams: do not text bought lists unless you can show a first-party consent record tied to your brand.
What is 10DLC registration and why does it affect compliance?
10DLC registration is the carrier-level system for business SMS sent from regular phone numbers. All major carriers (AT&T, Verizon, T-Mobile) require brands to register their company and campaign use case through The Campaign Registry before sending application-to-person messages. Unregistered traffic is filtered or blocked silently. Registration costs $4 to $10 per month per brand and takes one to five business days to approve.
Do state laws add SMS compliance requirements beyond TCPA?
Yes. California's CCPA and CPRA add data rights obligations, including the right to know and delete data, which extends to SMS consent records. Florida's Mini-TCPA (FTSA, effective July 2021) has its own prior express written consent requirement for intrastate calls and texts that some courts read broadly. Oklahoma, Washington, and other states run similar statutes. A federally compliant program may still need state-specific review.
How do I know if my current SMS platform is actually storing consent records correctly?
Run a test. Opt in from a test number using your normal customer-facing form, wait 24 hours, then request the consent record for that number from support or the admin panel. You should get the exact timestamp in UTC, the submission IP address, the form URL or keyword source, and the disclosure text version. If the platform cannot produce all four, your consent records will not survive litigation.
What disclosures must an SMS opt-in form include to be TCPA-compliant?
The form must clearly state the name of the company sending texts, the type of messages (e.g., marketing offers), an estimated frequency (e.g., up to 4 messages per month), that message and data rates may apply, links to your Privacy Policy and Terms of Service, and how to opt out (e.g., reply STOP). The disclosure must be clear and conspicuous, not buried in footnotes or linked terms. The submit button must not be pre-checked.
Is verbal consent sufficient to send marketing texts under TCPA?
No. TCPA requires prior express written consent for marketing texts sent with an autodialer. Verbal consent does not meet the written requirement. The FCC's rules allow electronic consent, so a web form submission counts as written, but a spoken agreement on a sales call or a verbal okay at a trade show does not. Train your sales team on this gap, because verbal consent collection is a common failure point.
Sources
- Cornell Legal Information Institute, 47 U.S.C. § 227 (TCPA statute text): TCPA prohibits automated texts to cell phones without prior express written consent; statutory damages are $500 per violation and $1,500 for willful violations.
- FCC, 47 C.F.R. § 64.1200 (implementing TCPA rules): Prior express written consent must be a clear and conspicuous disclosure, must identify the sender, and cannot be a condition of purchase.
- Cornell Legal Information Institute, 28 U.S.C. § 1658 (federal statute of limitations): The TCPA statute of limitations is four years under 28 U.S.C. § 1658.
- WebRecon LLC, TCPA Litigation Tracker: TCPA federal filings run approximately 3,000 to 4,000 per year, with text message cases comprising a growing share.
- FTC, Telemarketing Sales Rule (TSR) overview: The FTC's Telemarketing Sales Rule adds disclosure and timing requirements for financial product solicitations beyond TCPA.
- Cornell Legal Information Institute, 47 C.F.R. § 64.1200 (consent definitions): Prior express written consent for marketing texts is defined under the FCC's TCPA implementing rules; double opt-in is not separately mandated.
- CTIA Short Code Registry (U.S. Short Code Directory): Dedicated short code registration costs approximately $500 to $1,000 per year through the CTIA-affiliated short code registry.
- The Campaign Registry, 10DLC Registration: 10DLC brand and campaign registration costs approximately $4 to $10 per month per brand and is required by all major U.S. carriers for business application-to-person SMS.
- HHS Office for Civil Rights, HIPAA for Professionals: SMS programs involving protected health information require HIPAA Business Associate Agreements and appropriate data handling controls.
- FTC, Telemarketing Sales Rule overview: The FTC's TSR imposes additional disclosure and timing requirements for telemarketing, including SMS, related to financial products.