Bulk SMS marketing legal requirements: TCPA, GDPR, and what you actually need

TCPA fines hit $500, $1,500 per text. This guide covers every bulk SMS legal requirement, consent, opt-out, GDPR, and state laws, so you stay compliant.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-09

Person holding smartphone on a desk, representing bulk SMS marketing compliance
Person holding smartphone on a desk, representing bulk SMS marketing compliance

TL;DR

Bulk SMS marketing in the US requires prior express written consent under the TCPA (47 U.S.C. § 227), mandatory opt-out handling, and quiet-hours limits. Marketing to EU residents adds GDPR consent rules. Violations cost $500, $1,500 per message in statutory damages. This guide covers every requirement, how to document consent, and what GDPR adds on top.

What laws govern bulk SMS marketing in the US?

Two federal laws do most of the work, and a growing stack of state laws pile on top.

The Telephone Consumer Protection Act (47 U.S.C. § 227) is the main event. [1] Congress passed it in 1991, and the FCC has rewritten its rules several times since. The TCPA prohibits sending marketing text messages using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice without the recipient's prior express written consent. The FCC confirmed in its 2012 rulemaking that the same written-consent standard that applies to robocalls also applies to marketing texts. [2]

The Telemarketing Sales Rule (TSR), enforced by the FTC, covers some SMS scenarios too, mostly around deceptive practices and do-not-call compliance. [3] But for most outbound SMS teams, the TCPA is the law that keeps you up at night.

On top of federal law, you have state analogs. States like Florida (FTSA), Oklahoma, and Washington have passed their own SMS-specific statutes that can be stricter than the TCPA on things like quiet hours and per-message damages. More on those in a later section.

For a full breakdown of how the TCPA applies to texting specifically, the TCPA SMS compliance guide is worth reading alongside this one.

This phrase is where most compliance failures start. The FCC's 2012 order defined prior express written consent as an agreement that: (1) is signed by the consumer, (2) clearly authorizes the seller to deliver telemarketing messages via autodialer or prerecorded voice, (3) discloses that consent is not a condition of purchase, and (4) identifies the phone number to which calls or texts may be delivered. [2]

"Signed" under the FCC's rules can be an electronic signature, a checked checkbox, a reply keyword like YES, or a wet signature. A pre-checked box does not count. Silence does not count. An existing business relationship does not count for marketing texts.

In practice, a compliant SMS opt-in flow looks like this: the consumer sees clear disclosure language (who's texting, what kinds of messages, frequency estimate, message-and-data-rates notice, and how to stop), then takes an affirmative step like checking an unchecked box or texting a keyword to a short code. You capture a timestamped record of that action and store it.

The FCC's text on consent states: "An agreement that does not expressly limit the consumer's consent to a particular identified seller... does not comply with the rules." [2] That language matters a lot for lead generators who share consent across multiple companies. If your opt-in form says "and our partners," courts have not been kind to that language. The lead generation space has seen heavy litigation over shared consent.

One reliable way to tighten your consent flow is SMS double opt-in, where the consumer confirms via a reply text after signing up. It adds friction but generates an extremely clean consent record.

What are the TCPA's per-message damages, and how bad can a lawsuit get?

The TCPA allows a private right of action. Any individual who receives a text in violation of the statute can sue for $500 per violation, or up to $1,500 per violation if the court finds the violation was willful or knowing. [1] There is no damages cap on class actions.

That math gets ugly fast. Send 10,000 texts without proper consent and you're looking at $5 million to $15 million in potential statutory damages before you account for attorneys' fees. Class actions are common because plaintiffs' attorneys can aggregate thousands of claims into a single filing.

Some real case examples: In 2022, Papa John's settled a TCPA class action for $16.5 million. [4] Domino's settled a text-message class action for $9.25 million. Volume is not a defense. Courts have consistently rejected the argument that the sender "didn't know" the contact list had bad consent records.

The FCC also has its own enforcement authority and can issue fines separately from private suits. In 2024 the FCC proposed a $6 million fine against a single lead generator for illegal robocall and text practices. [5]

For anyone running high-volume outbound, the risk-adjusted cost of non-compliance is not abstract. One bad contact list can generate a lawsuit that swallows the entire campaign's revenue and then some.

TCPA statutory damages by scenario Per-message exposure under 47 U.S.C. § 227 for a 10,000-text campaign Standard violation ($500/msg × 10… $5M Willful violation ($1,500/msg × 1… $15M Source: US Congress, 47 U.S.C. § 227

What are the required opt-out and quiet-hours rules for SMS?

The TCPA and FCC rules require that every marketing text carry a clear and conspicuous opt-out mechanism. [2] If a consumer texts STOP (or UNSUBSCRIBE, CANCEL, END, or QUIT), you must honor that immediately and send a single confirmation message. You cannot send another marketing message after a valid opt-out request. One text after a STOP request is a separate, clean TCPA violation.

Quiet hours are set by the FCC at 8 a.m. to 9 p.m. local time for the recipient. [2] That means local time at the recipient's location, not yours. If your team is in Arizona and your contact is in New York, use Eastern time. Automated platforms usually handle time-zone detection, but verify that setting before launch.

Texting frequency is looser. The TCPA sets no specific per-day or per-week cap, but many states and the CTIA (the industry association that governs short code use) add standards. CTIA guidelines require that your opt-in disclosure state an approximate message frequency, and blowing past that number materially can be used against you in litigation. [6]

Keep an opt-out list in a suppression file and scrub every new contact list against it before sending. This is a simple process step that many small teams skip, and it's how they get caught on a re-engagement campaign months later.

What does GDPR require for bulk SMS marketing to EU contacts?

If you're texting anyone in the European Union or European Economic Area, the General Data Protection Regulation applies. [7] GDPR is not an SMS-specific law, but SMS marketing involves processing personal data (phone numbers, location inference, behavioral data), so it triggers full GDPR requirements.

The core GDPR requirement for direct marketing by text is a lawful basis for processing. Article 6 lists six bases, but for unsolicited marketing, legitimate interest is very hard to justify in EU case law. In practice, explicit consent under Article 7 is the required route. [7] That consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent don't meet the standard.

Article 13 requires you to tell contacts, at the point of collection, who you are, what you'll do with their number, how long you'll keep it, their right to withdraw consent, and their right to complain to a supervisory authority. [7] That's a real disclosure, not a one-line footnote.

Right to erasure (Article 17) means if a contact asks you to delete their data, you must do it and document it. A STOP reply handles the marketing side, but if they separately invoke erasure rights, you must purge their number from your records entirely, including backup logs.

Fines under GDPR for serious violations can reach 4% of global annual turnover or 20 million euros, whichever is higher. [7] For a US company texting European numbers without proper consent, the exposure is real, and EU data protection authorities have shown willingness to act on complaint-driven cases against non-EU businesses.

If your team also does B2B outreach to EU businesses, the B2B lead generation platforms GDPR compliance article covers how the rules shift in that context.

How do TCPA and GDPR requirements compare side by side?

Both laws require consent for marketing texts, but the mechanics and consequences differ. The table below captures the most important comparison points.

RequirementTCPA (US)GDPR (EU)
Consent standardPrior express written consentFreely given, specific, informed, unambiguous consent
Pre-ticked boxesNot validNot valid
Existing customer exceptionNo (for marketing texts)Soft opt-in possible in some EU member states
Opt-out mechanismRequired (STOP keywords honored immediately)Right to withdraw consent at any time, easily
Data deletion rightNot specified by TCPAYes, Article 17 right to erasure
Quiet hours8 a.m., 9 p.m. recipient local timeNot specified in GDPR (member state ePrivacy rules apply)
Per-violation damages$500, $1,500 private right of actionUp to 4% of global turnover or €20M
Who enforcesFCC + private plaintiffsNational data protection authorities
B2B exemptionSome courts have found ATDS rules apply less strictly to B2BB2B may rely on legitimate interest in some cases

The practical takeaway: a consent flow that satisfies GDPR will generally satisfy the TCPA's written consent standard too. The disclosure requirements overlap heavily. Build your opt-in for the stricter standard and you're covered on both sides.

What state SMS marketing laws go beyond the TCPA?

Several states have passed laws that create extra obligations or private rights of action that are easier to trigger than the TCPA. [8]

Florida's Telephone Solicitation Act (FTSA), amended in 2021 and again in 2023, created a state-law private right of action for unsolicited marketing texts sent using an auto-dialer to Florida numbers without prior express written consent. Damages are $500 per call or text. Florida also restricts the hours for solicitation calls and texts to 8 a.m. to 8 p.m. [8] The 2023 amendment narrowed the FTSA slightly after a wave of litigation, but Florida stays high-risk for SMS campaigns.

Washington State's Commercial Electronic Mail Act (CEMA) covers commercial text messages and requires accurate sender identification and opt-out mechanisms. [9] Washington allows a $500 per-violation private right of action.

Oklahoma passed HB 1227 in 2022, creating similar SMS-specific consumer protections with a private right of action.

California's Consumer Privacy Act (CCPA) does not regulate marketing texts directly the way GDPR does, but it gives California residents rights over their personal data, including phone numbers. If a California resident asks you to delete their data or opt out of the sale of their information, you must comply whether or not they're on your SMS list. [10]

Texas, Georgia, and Indiana have do-not-call statutes that intersect with SMS under some interpretations. The safe approach is to treat your DNC suppression list as applying to texts as well as calls in any state with a broad solicitation statute.

For ongoing changes to state law, the TCPA news today feed tracks new cases and legislation as they happen.

What must your SMS opt-in disclosure actually say?

A legally compliant opt-in disclosure for US SMS marketing needs, at minimum, these elements, drawn from the FCC's written consent rules and CTIA's messaging guidelines:

1. The identity of the sender (your business name, more than a brand slogan). 2. A description of the types of messages the consumer will receive (promotions, alerts, reminders). 3. An approximate message frequency ("up to 4 messages per month" is common). 4. The statement that message and data rates may apply. 5. A clear disclosure that consent is not required to purchase goods or services. 6. Instructions for how to opt out ("Reply STOP to unsubscribe"). 7. A link to your privacy policy and terms of service.

For GDPR compliance, add: the legal basis for processing, the data controller's identity and contact details, the right to withdraw consent, how long you'll keep the data, and the right to lodge a complaint with a supervisory authority.

This doesn't all have to be inline text in a tiny checkbox label. You can put the full disclosure in a linked terms page, provided the summary disclosure is clearly visible at the point of opt-in and the link is labeled something clear like "Text marketing terms."

The FCC's rules state plainly that consent "shall not be a condition of purchase." [2] If your checkout flow gates completion on accepting SMS marketing, that is a violation. Plenty of e-commerce platforms do this by accident when developers copy form templates without reading the compliance requirements.

For template examples, the SMS opt-in form article has disclosure language you can adapt.

The burden of proving consent falls on the sender, not the recipient. [2] If someone sues you or files an FCC complaint claiming they never opted in, you need to produce a consent record. "We thought they opted in" is not a defense.

A minimum consent record includes: the consumer's phone number, the date and time of consent, the IP address or session identifier (for web opt-ins), the exact disclosure language shown at the time of consent (a version-tracked snapshot, more than a current screenshot), and the specific action the consumer took (checked a box, texted a keyword, signed a form).

Store this data for at least four years. The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658, though some courts have used a two-year state-law period. Four years is the safer number. [11]

For keyword opt-ins (consumer texts JOIN to your short code), your SMS platform's inbound log is the consent record, but you need to export and back it up. Platform logs vanish if you cancel a service or migrate providers.

If you buy or rent contact lists, the consent record has to exist for those contacts too. List vendors who say "these contacts opted in" are selling you a compliance liability unless they can hand you source-level consent records with timestamps, original disclosure language, and IP logs. Most can't. Treat purchased lists without documentation as unconsented.

LeadCompliant's free TCPA consent checker is one place to audit what your current opt-in flows actually capture before you run a campaign.

What do the CTIA's industry guidelines require beyond the law?

The CTIA (Cellular Telecommunications Industry Association) sets guidelines for US commercial messaging that carriers enforce. [6] Violate them and carriers can block your messages, ban your short code, or de-register your 10DLC (10-digit long code). That's a business disruption entirely separate from legal liability.

Key CTIA requirements include: proper program disclosure in opt-in flows, STOP/HELP keyword support, no sending of prohibited content categories (cannabis, weapons, hate speech, and adult content to unconsented audiences), and registration of your brand and campaign before sending on 10DLC.

10DLC registration is now effectively required for any meaningful volume of SMS marketing in the US. [6] The process runs like this: register your business with The Campaign Registry (TCR), then register each SMS campaign type (promotions, alerts) separately. Carriers assign throughput limits based on your brand trust score. Unregistered long codes see heavy filtering and often complete blocking.

Toll-free number verification is a parallel requirement for toll-free SMS, with a similar registration process through carriers. Shared short codes were largely eliminated by carriers in 2021. If you're still on one, migrate now.

CTIA guideline violations don't create a private right of action the way the TCPA does, but carrier blocking of your campaigns is an immediate and painful consequence. For teams choosing a marketing text message service, verify that the platform handles 10DLC registration automatically and monitors carrier filtering.

Are there SMS compliance differences for B2B versus B2C campaigns?

Yes, though the line is blurrier than many B2B teams assume.

For B2C (consumer) SMS marketing, the TCPA's full prior express written consent requirement applies with no exceptions. It doesn't matter if the consumer gave you their number at a trade show, on a website form, or through a third-party lead. You still need documented written consent.

For B2B, the legal picture is murkier. Some federal courts have held that the TCPA's autodialer restrictions apply less stringently to messages sent to business lines, particularly after the Supreme Court's 2021 ruling in Facebook v. Duguid, which narrowed the definition of an ATDS. [12] If your texts go to a direct business number (not a personal cell) and the recipient is acting in their professional capacity, the B2B argument has more support. But most cell phones are dual-use, personal and professional, and courts haven't agreed on how to handle that.

Under GDPR, B2B marketing to EU contacts has more room. Legitimate interest (Article 6(1)(f)) can sometimes justify marketing to business contacts, provided you give an opt-out and the processing doesn't override the contact's fundamental interests. [7] But individual business contacts (not the company) still have rights, and the legitimate interest assessment has to be documented.

The practical advice: unless you're texting corporate landlines with zero chance of personal use, apply the same consent discipline to B2B that you'd apply to B2C. The cost of a wrong assumption is just too high.

What should a bulk SMS compliance checklist look like before you send?

Before any bulk send, run through these checks. This is the process I'd actually use, not an aspirational list.

Consent verification:

  • Every number on the list has a documented consent record with timestamp, disclosure version, and source.
  • No numbers from purchased lists without source-level consent documentation.
  • Consent was given specifically to your brand, not to "partners" generally.
  • Consent was not a condition of purchase.

Suppression scrubbing:

  • Active opt-out list is current and applied.
  • Federal DNC registry scrub (required for telemarketing texts; the FTC's DNC registry applies to text messages covered by the TSR). [3]
  • State DNC lists for states with independent registries.

Message content:

  • Sender identity is clear.
  • Opt-out instructions are in the message (STOP to unsubscribe).
  • No deceptive claims.
  • No prohibited content categories per CTIA.

Timing:

  • Send scheduled within 8 a.m., 9 p.m. recipient local time.
  • Time-zone detection is active in your platform.

Technical:

  • 10DLC brand and campaign registered for this campaign type.
  • Platform set to honor STOP replies automatically.

Documentation:

  • Consent records backed up externally.
  • Campaign record logged (date, list source, message content, volume).

For teams using text message marketing software, verify which of these checks the platform automates versus which you own manually. Don't assume the software handles the legal layer.

What should restaurants, real estate, and other specific industries know?

The baseline requirements above apply to every industry, but a few sectors carry extra context worth knowing.

Restaurants run loyalty and promotional SMS programs that often involve very high list volumes and frequent sends. The TCPA applies identically. Customers who text in to join a loyalty program and explicitly consent to SMS are good. Customers who gave their number to a server verbally are not consented under TCPA standards. For specific language and program structure ideas, the sample text message marketing for restaurants article has worked examples.

Real estate agents and brokerages carry unusual risk because they often text leads from purchased lists, cold prospect lists, or open-house sign-in sheets. Sign-in sheets with no SMS disclosure are not TCPA consent. Texting cold leads without documented consent is the single most common source of TCPA exposure in real estate. The real estate text message marketing guide covers compliant workflows for that vertical specifically.

Healthcare providers sending appointment reminders have a partial exemption for purely informational (non-marketing) texts to established patients, but any text that promotes a service converts it to a marketing message and triggers full consent requirements.

Financial services and insurance face extra FTC regulations on top of the TCPA, including truthful disclosure and do-not-call requirements that interact with SMS in state-specific ways.

If your team's outbound includes SMS and you want ongoing updates as this law evolves, the lead generation compliance news hub is a useful resource.

This article is a legal reference guide, not legal advice. For specific compliance questions, consult a TCPA-focused attorney.

Frequently asked questions

An existing business relationship does not substitute for prior express written consent under the TCPA for marketing texts. The FCC eliminated that exception for telemarketing texts in its 2012 rulemaking. You need a documented, affirmative opt-in from that customer specifically authorizing SMS marketing from you, separate from the purchase transaction.

Does the TCPA apply to texts sent manually from a cell phone?

Texts sent manually, one at a time, from a human holding a phone are generally not covered by the TCPA's autodialer restrictions. The TCPA targets systems with autodialing capacity. But if you're using any platform that sends in bulk or schedules messages, it likely qualifies as an ATDS. Most compliance attorneys recommend applying TCPA consent standards regardless of the sending method for marketing messages.

What counts as a valid STOP reply and how quickly must I honor it?

STOP, UNSUBSCRIBE, CANCEL, END, and QUIT all trigger opt-out obligations under CTIA guidelines and FCC rules. You must honor the opt-out immediately and may send one confirmation message. Sending any further marketing texts after a valid STOP request is a separate TCPA violation at $500, $1,500 per message. Your platform should suppress the number automatically.

Is GDPR relevant to US-only businesses?

Yes, if you have any EU or EEA residents in your contact list. GDPR applies based on where the data subject is located, not where your business is incorporated. A US company texting a French resident is subject to GDPR for that contact's data. If you're certain your list is 100% US-based, GDPR doesn't apply, but confirming that geographic scope for a purchased list is often impossible.

What is 10DLC and is registration required?

10DLC stands for 10-digit long code, a standard US phone number used for business SMS. Since 2021, carriers have required brands and their campaigns to register with The Campaign Registry before sending commercial SMS at volume on 10DLC numbers. Unregistered numbers face message filtering and blocking by major carriers. Registration is done through your SMS platform in most cases.

Can I text numbers from a list I purchased?

Only if the vendor can provide source-level consent records: the specific disclosure shown, the date and time of opt-in, IP address, and the fact that consent was given to your company specifically, not to the list vendor or to unnamed partners. In practice, almost no purchased list can meet that standard. Treating purchased lists as unconsented is the safest and most common approach among compliance-aware teams.

What quiet hours apply to bulk SMS marketing?

The FCC's rules prohibit marketing texts before 8 a.m. or after 9 p.m. in the recipient's local time zone. Florida restricts to 8 a.m., 8 p.m. under the FTSA. Always use the recipient's local time, not the sender's. If your platform doesn't detect and apply recipient time zones automatically, schedule campaigns manually with geographic filtering.

The TCPA has a four-year federal statute of limitations under 28 U.S.C. § 1658, though some state courts have applied a two-year period. Keeping consent records for a minimum of four years is the standard recommendation. Records should include the phone number, consent date and time, disclosure text shown, IP address, and the action taken to opt in.

The FCC distinguishes these. Purely informational texts (account alerts, fraud warnings) may require only "prior express consent." Marketing texts require the higher standard: "prior express written consent," which must include a signed agreement, identify the seller, authorize marketing messages by autodialer, and disclose that consent is not a purchase condition. If your texts promote anything, treat them as marketing and get written consent.

Does double opt-in protect me from TCPA lawsuits?

It cuts risk sharply. A double opt-in (where the consumer texts a keyword to confirm after signing up) creates a second consent record that's very hard for a plaintiff to dispute. It's not a statutory requirement, but in litigation it can be a strong defense. It also reduces accidental opt-ins from fat-finger phone entries. Most compliance attorneys recommend it for high-volume programs.

The FCC adopted a one-to-one consent rule in December 2023, requiring that consent be given specifically to one seller at a time, not to a lead generator's "partners" list broadly. [5] This was designed to end the practice of bundling consent across multiple brands on a single web form. If you receive leads from third parties, each lead's consent must name your company specifically. Note that the rule's effective date and scope shifted after litigation, so check current status before relying on it.

Are opt-out confirmation texts required, and do they count as marketing?

One opt-out confirmation text is permitted after a STOP request and does not count as a marketing message under FCC guidance. It should only confirm the opt-out and provide a help contact if needed. It must not contain any promotional content. After that single confirmation, no further texts are permitted to that number.

What's the risk exposure for a small business running its first SMS campaign?

TCPA litigation is not limited to large companies. Plaintiffs' attorneys actively look for smaller businesses with non-compliant campaigns because they often lack documented consent records. A campaign of 5,000 texts without proper consent creates up to $7.5 million in statutory exposure. Even at a fraction of that in a nuisance settlement, it exceeds most small businesses' annual SMS revenue. The compliance cost is small by comparison.

Sources

  1. US Congress, 47 U.S.C. § 227 (Telephone Consumer Protection Act): The TCPA prohibits sending marketing text messages using an ATDS without prior express written consent, with damages of $500–$1,500 per violation.
  2. FTC, Telemarketing Sales Rule (16 CFR Part 310): The FTC's Telemarketing Sales Rule covers deceptive practices and do-not-call compliance for SMS in some scenarios.
  3. Law360 / Public court records, Papa John's TCPA class action settlement 2022: Papa John's settled a TCPA class action for $16.5 million in 2022.
  4. European Commission, General Data Protection Regulation (GDPR) full text: GDPR Article 7 requires freely given, specific, informed, and unambiguous consent for direct marketing; Article 17 grants right to erasure; fines reach 4% of global turnover or €20 million.
  5. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059 F.S.: The FTSA creates a Florida private right of action for unsolicited marketing texts at $500 per violation and restricts solicitation to 8 a.m.–8 p.m.
  6. Washington State Legislature, Commercial Electronic Mail Act (RCW 19.190): Washington's CEMA covers commercial text messages and allows a $500 per-violation private right of action.
  7. California Attorney General, California Consumer Privacy Act (CCPA): The CCPA gives California residents rights over personal data including phone numbers, including the right to delete and opt out of sale.
  8. US Congress, 28 U.S.C. § 1658 (federal statute of limitations): The TCPA's federal statute of limitations is four years under 28 U.S.C. § 1658, the standard for retention of consent records.
  9. US Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court narrowed the ATDS definition in 2021, requiring that a system randomly or sequentially generate numbers to qualify, which affects B2B TCPA analysis.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit