Last updated 2026-07-09

TL;DR
CAN-SPAM is an email law. It does not apply to commercial text messages. SMS marketing runs under the TCPA (47 U.S.C. § 227) and FCC rules, which require prior express written consent before you send a marketing text. Break those rules and each message costs $500 to $1,500. Here is how the consent rules actually work.
Does CAN-SPAM apply to SMS text messages?
No. CAN-SPAM does not apply to SMS text messages. It is an email law, full stop.
Congress passed CAN-SPAM (the Controlling the Assault of Non-Solicited Pornography And Marketing Act, 15 U.S.C. § 7701 et seq.) in 2003 to regulate commercial email [1]. Its rules cover subject lines, header accuracy, physical postal address disclosures, and opt-out mechanisms for email. A text message sent to a mobile number is not email, and nothing in the statute or the FTC's implementing rules stretches its reach to SMS [1].
This matters because people conflate the two laws all the time. Build your SMS program around CAN-SPAM, assume an opt-out link at the bottom of a text covers you, and you are exposed. The FCC and plaintiff attorneys give you no credit for following the wrong law.
The law that actually governs commercial SMS is the Telephone Consumer Protection Act, 47 U.S.C. § 227, plus FCC regulations at 47 C.F.R. § 64.1200 [3][12]. The TCPA has a private right of action. Any person who gets an unwanted text can sue you directly, without waiting for a government agency to move. That single feature is the engine behind nearly every large SMS enforcement outcome.
What law actually governs SMS marketing opt-in requirements?
The TCPA is the primary federal law. Congress enacted it in 1991, and the FCC has updated it by rulemaking many times since [3]. For SMS marketing, the rule that matters is this: you must get "prior express written consent" before sending any text that includes an advertisement or counts as telemarketing [12].
The FCC defines prior express written consent in 47 C.F.R. § 64.1200(f)(9) as an agreement, in writing, bearing the signature of the person called, that clearly authorizes the seller to deliver messages using an automatic telephone dialing system or artificial or prerecorded voice [12]. That written signature can be electronic. A checkbox, a submitted web form, or a keyword texted to a short code all qualify, as long as the disclosure language is clear and the consumer takes an affirmative action.
There is a second, lower tier called "prior express consent" (no "written" requirement). It covers informational texts like appointment reminders and transactional notices. Put any promotional element in the message, even a small one, and you are back to the higher written-consent standard.
State laws stack on top. California's Invasion of Privacy Act and Washington's Commercial Electronic Mail Act both touch mobile messaging, and several states have passed mini-TCPA statutes with their own consent rules. Florida's Telemarketing Act restricts certain commercial texts to Florida residents independently of federal law [5].
For a full breakdown of what TCPA compliance requires across your SMS program, see our guide to tcpa sms compliance.
What is prior express written consent for SMS, and how do you get it?
Prior express written consent has four required elements under FCC rules [12]:
1. The consumer must affirmatively agree. No pre-checked boxes, no consent buried in terms of service without a standalone disclosure. 2. The agreement must clearly authorize the specific sender or company by name. 3. The disclosure must describe the type and approximate frequency of messages. 4. The disclosure must state that consent is not a condition of purchase.
The FCC's 2012 omnibus order spelled out these requirements and removed the established business relationship exemption that used to let some promotional calls through without consent [12]. The order carries the citation FCC 12-21.
Here is what a compliant SMS opt-in looks like in practice. A web form with a checkbox, unchecked by default, sits next to language like: "By checking this box, you agree to receive marketing text messages from [Company Name] at the number provided. Message frequency varies. Message and data rates may apply. Reply STOP to opt out. Consent is not a condition of purchase." The consumer checks the box, submits the form, and you store a timestamped record of that action.
A keyword opt-in works too. A consumer texts "JOIN" to your short code after seeing your call to action, and your platform fires back a confirmation message with the required disclosures. That confirmation response locks in the consent record.
For detailed templates and form structures, see our article on sms opt-in form.
One thing people get wrong: importing a list of numbers from a lead vendor and treating a checkbox on the vendor's landing page as your consent record. A January 2024 FCC order (FCC 24-17) addressed exactly this. It requires consent on a one-to-one basis, meaning the consumer consented to your company specifically, not to some category of "marketing partners" [6]. The compliance deadline landed in January 2025. Still relying on list-purchased leads with blanket consent language? You are in real trouble.
What are the TCPA penalties for sending texts without proper opt-in?
The TCPA sets statutory damages of $500 for each text sent without proper consent. Find that the violation was willful or knowing, and a court triples it to $1,500 per text [3].
The statute has no cap per plaintiff, and the private right of action means plaintiffs do not have to prove actual harm. They just show you sent the message without compliant consent. Class actions multiply per-text damages across every recipient on a list, which is how these cases reach eight and nine figures.
Some real outcomes for context. Vibes Media settled a TCPA class action for $13 million in 2019 [7]. Dish Network agreed to pay over $280 million in 2017 to settle FTC and state attorney general actions tied to improper telemarketing, at the time the largest Do Not Call penalty ever [8]. Individual small-business defendants have taken judgments in the hundreds of thousands for campaigns of a few thousand texts.
The math is brutal. Send a promotional blast to 10,000 contacts without proper written consent, and your exposure at the $500 minimum is $5,000,000. At the willful rate, $15,000,000. No campaign earns enough revenue to cover that.
This is why proper sms opt-in infrastructure is not optional overhead.
How is the TCPA different from CAN-SPAM for opt-in and opt-out mechanics?
The structural gap is opt-in versus opt-out. CAN-SPAM is an opt-out regime. You can email anyone commercially as long as you follow the formatting rules and honor opt-out requests within 10 business days [1]. You need no permission to send the first email.
The TCPA for SMS is an opt-in regime. You cannot send the first marketing text without prior express written consent. Opt-out mechanics (STOP, CANCEL, UNSUBSCRIBE, END, QUIT) are required too, but they are a floor, not a ceiling. Consent comes before the first message, and you honor opt-outs immediately, usually within the same business day [3].
| Feature | CAN-SPAM (email) | TCPA (SMS) |
|---|---|---|
| Law | 15 U.S.C. § 7701 | 47 U.S.C. § 227 |
| Enforcer | FTC | FCC + private lawsuits |
| Consent model | Opt-out | Opt-in (written) |
| First message without consent | Allowed | Prohibited |
| Opt-out window | 10 business days | Immediate |
| Statutory damages | None (FTC civil penalty) | $500-$1,500 per message |
| Private right of action | No | Yes |
This table is why mixing up the two laws gets expensive. CAN-SPAM's permissive first-send rule does not carry over to SMS. Period.
Does the CAN-SPAM opt-out apply to texts you receive on your phone?
No. CAN-SPAM opt-out requirements apply to commercial email. An SMS text to your cell phone is not an email message under the statute, so CAN-SPAM unsubscribe mechanics do not apply [1].
Carriers and the CTIA (the wireless industry association) run their own guidelines that effectively require STOP commands to work for opt-out. Every major US carrier enforces these as a condition of using short codes and 10DLC numbers [9]. Text someone who replied STOP and keep sending, and you face both TCPA liability and carrier-level suspension of your sending number.
The CTIA's Messaging Principles and Best Practices document tells senders to honor opt-outs immediately. That is an industry rule, not a statute, but carriers will kill your campaign for breaking it.
So here is the common question: can you send a text, catch a STOP reply, then legally re-add that person because they technically consented somewhere else? No. A STOP reply revokes consent across the board for that sender and consumer pair.
What did the FCC's 2024 one-to-one consent order change about SMS opt-in?
The FCC's January 2024 order (FCC 24-17) made one change that upended a lot of lead-generation businesses. It killed the practice of getting a single consent from a consumer that names dozens or hundreds of "marketing partners" [6].
Before the rule, a lead-gen landing page might say "I agree to be contacted by partners including [list of 50 companies]." A consumer clicks submit, and all 50 companies claim valid written consent. The FCC called that arrangement the lead generator loophole and closed it.
Under FCC 24-17, consent for autodialed or artificial or prerecorded calls and texts must be obtained by one seller at a time. The consumer has to clearly understand they are consenting to that specific company. Consent naming a class of companies does not meet the one-to-one requirement.
The compliance deadline was January 27, 2025. Since that date, any marketing text sent to a lead bought from a vendor whose consent form used the "marketing partners" language is presumptively non-compliant.
Buy leads? Audit what the consent language actually said on the original opt-in page, confirm it named your company specifically, and keep a timestamped record. If your lead vendor cannot hand you that documentation, treat those contacts as lacking valid TCPA consent.
For ongoing updates on FCC enforcement posture, our tcpa news today coverage tracks new orders and case outcomes.
What records do you need to prove SMS consent?
The TCPA sets no retention period, but litigation reality points to one answer: keep consent records for at least four years, matching the federal statute of limitations that governs most TCPA claims [10].
A proper consent record contains:
- The full name and mobile number the consumer provided.
- A timestamp, date and time, of when they submitted the opt-in.
- The URL, or the short code and keyword, they used to consent.
- A screenshot or archived version of the exact disclosure language live on the page at that moment.
- The IP address, if you collected it via web form.
- Your confirmation message log, if you ran a double opt-in.
The IP address and the page-version archive often win or lose a TCPA case. A consumer claims they never consented. You produce a record showing IP address X submitted your form at 2:43 PM on March 3, 2024, with compliant disclosure language on the page. That is defensible. A spreadsheet holding a phone number and nothing else is not.
Want belt-and-suspenders confirmation? Add a sms double opt-in step. You text the consumer a PIN or confirmation prompt and require a reply, which creates a second timestamped record entirely inside your control.
LeadCompliant's free compliance kit includes a consent record template and a field-by-field checklist for what each record must contain. That is at leadcompliant.com.
Can you use CAN-SPAM compliance to satisfy SMS marketing requirements for B2B contacts?
No. B2B contacts do not exempt you from TCPA requirements for SMS.
A common belief says the TCPA only protects consumers, so texting a business contact's cell phone is fine without written consent. The statute says no such thing. The TCPA protects any call or text to a cellular telephone service, whether the number belongs to a consumer or a business employee [3]. Text a sales manager's cell without prior express written consent, and that is a TCPA violation, even if you pulled the number off LinkedIn.
Some attorneys argue that B2B texting from a human-dialed, non-ATDS platform sits outside TCPA coverage because of the autodialer requirement. That argument has merit in narrow circumstances, but the definition of ATDS (automatic telephone dialing system) has been litigated hard, and the line is not always clear. Facebook v. Duguid (2021) narrowed the ATDS definition to systems that use a random or sequential number generator, which helps some defendants, but many platforms still qualify [11].
The safest position for B2B SMS is simple. Get opt-in consent anyway. It costs almost nothing operationally, and it erases the ATDS definitional fight entirely.
For teams running both B2B and B2C outreach, see our overview of tcpa basics for a fuller picture of where the B2B lines actually sit.
What does a compliant SMS opt-in disclosure actually look like?
A compliant disclosure has to carry, at minimum [12][9]:
- The name of the company sending messages.
- A description of the message type (e.g., "promotional offers and updates").
- Approximate message frequency, or the phrase "message frequency varies."
- "Message and data rates may apply."
- How to opt out (reply STOP) and how to get help (reply HELP or a support URL).
- That consent is not a condition of any purchase.
An example that hits all of these: "By checking this box, you agree to receive recurring automated marketing text messages from Acme Corp at the number you provide. Message frequency varies. Msg & data rates may apply. Reply STOP to stop, HELP for help. Consent is not a condition of purchase. View our [Privacy Policy] and [Terms]."
What does not work:
- Consent buried in a 3,000-word terms of service with no standalone disclosure.
- A pre-checked checkbox.
- Language that says "by submitting this form you agree to our terms" with no specific mention of SMS.
- A disclosure naming "Acme Corp and its partners" without naming each partner.
If your website runs multiple sms opt-in form placements, say a contact page and a download gate, audit every single one. One non-compliant form instance can create exposure for your entire list.
For teams building out marketing text message service infrastructure, getting the form language right before you scale matters more than platform selection.
Are there industry-specific SMS opt-in rules beyond the TCPA?
Yes. Healthcare, financial services, and real estate each carry extra compliance layers.
Healthcare: HIPAA's Privacy Rule kicks in when texts contain or relate to protected health information. Getting TCPA consent does not give you HIPAA authorization to text medical details. These are separate consent frameworks.
Financial services: FINRA and SEC rules govern what broker-dealers can say in text messages, and SEC Rule 17a-4 recordkeeping requires archiving of business-related texts. Several firms have paid nine-figure fines in recent years for failing to capture off-channel communications, texts included.
Real estate: Agents texting leads face TCPA exposure and, in some states, state real estate commission rules on advertising disclosures. For teams running text campaigns on property listings, see our notes on real estate text message marketing.
Restaurants and retail: No sector-specific federal law, but FTC Act Section 5 unfair and deceptive practices standards still apply to your offers and disclosures. For practical examples, our sample text message marketing for restaurants article walks through real campaign structures that stay inside the lines.
The CTIA also publishes sector-specific messaging guidelines for cannabis, firearms, alcohol, and financial services, and carriers enforce them independent of statute. If your industry sits on that list, those guidelines shape what you can say and whether your messages get delivered at all [9].
How should you choose SMS marketing software with compliance in mind?
The platform you use gives you no compliance defense. The TCPA does not care what software you run. It cares whether you had valid consent before you hit send. But the right platform makes consent collection, recordkeeping, and opt-out processing much easier to get right.
Look for platforms that offer:
- Opt-in form builders with compliant disclosure templates.
- Automatic STOP and HELP processing with logs.
- Consent record storage tied to each contact, including timestamp and source.
- 10DLC registration support, required for most A2P messaging in the US since 2021.
- Double opt-in flows, if you want the extra record.
Platforms that let you import a CSV and blast without any consent verification are a liability, not a feature. The convenience of skipping the consent gate is not worth $500 per text.
For a side-by-side look at what different tools offer on the compliance side, our text message marketing software guide covers the field honestly, including where popular tools fall short.
Want a free starting point for auditing your current setup? LeadCompliant's free tools at leadcompliant.com include a TCPA consent checker and a DNC scrub tool.
Frequently asked questions
Does CAN-SPAM cover text messages?
No. CAN-SPAM (15 U.S.C. § 7701) is an email law enforced by the FTC. It has no provision covering SMS or MMS messages sent to mobile phones. Text message marketing runs under the TCPA (47 U.S.C. § 227) and FCC rules, which require prior express written consent before any promotional SMS. Building your text program around CAN-SPAM leaves you fully exposed to TCPA liability.
What is the difference between CAN-SPAM opt-out and TCPA opt-in for SMS?
CAN-SPAM is opt-out: you can email commercially without prior permission as long as you honor unsubscribe requests within 10 business days. The TCPA for SMS is opt-in: you need prior express written consent before the first promotional text. Under CAN-SPAM the opt-out runs after the first message; under TCPA, consent comes before. These are opposite frameworks, and you cannot substitute one for the other.
What is prior express written consent for SMS under the TCPA?
Under 47 C.F.R. § 64.1200(f)(9), prior express written consent is a clear, affirmative, written agreement from the consumer that names the specific sender, describes the message type and approximate frequency, notes that message and data rates may apply, explains how to opt out, and states that consent is not a condition of purchase. Electronic signatures, form checkboxes, and keyword texts to short codes all qualify as written if the disclosure meets these requirements.
Can I text B2B contacts without getting TCPA consent?
Not safely. The TCPA protects any text to a cellular telephone, whether or not the recipient uses that phone for business. Some attorneys argue human-dialed texts fall outside TCPA coverage because they do not involve an ATDS, and Facebook v. Duguid (2021) narrowed the ATDS definition. But that argument depends on your platform's technical architecture. Getting explicit opt-in consent from B2B contacts erases the debate and costs very little operationally.
What are the penalties for sending SMS without proper opt-in?
The TCPA sets statutory damages at $500 per message sent without valid consent. If a court finds the violation willful or knowing, that triples to $1,500 per message. There is no per-plaintiff cap, and the private right of action means any recipient can sue without waiting for FTC or FCC enforcement. A 10,000-message campaign sent without compliant consent carries a theoretical exposure of $5 million to $15 million.
Does the FCC's 2024 one-to-one consent rule affect my SMS marketing?
Yes, significantly. FCC order FCC 24-17 requires that TCPA consent for marketing texts be obtained by one company at a time, with a compliance deadline of January 27, 2025. A lead-gen form listing 20 or 50 marketing partners no longer creates valid consent for any of them. Each company must be named specifically on the consent form the consumer saw. If you buy leads, verify the consent was specific to your company or treat those contacts as lacking valid consent.
How long do I need to keep SMS consent records?
The TCPA's statute of limitations for private suits is generally four years under 28 U.S.C. § 1658. Keep consent records for at least four years from the date of last contact. Each record should include the consumer's name and number, an exact timestamp, the opt-in source (URL or keyword), the disclosure language live at the time, the IP address if available, and your confirmation message log if you use double opt-in.
Is a pre-checked consent box legally valid for SMS opt-in?
No. The FCC's rules require an affirmative action from the consumer. A pre-checked box does not show a deliberate choice to receive texts. Courts and the FCC have consistently held that passive acceptance, meaning failing to uncheck a box, does not meet the written-consent standard. Every SMS consent form must have the box unchecked by default and require the consumer to actively check it.
Can a consumer revoke SMS consent, and what happens if I keep texting?
Yes. Consumers can revoke consent at any time by any reasonable means, including replying STOP. The FCC has confirmed that consumers have the right to revoke consent and that senders must honor revocation. If you keep texting after a STOP reply, every later message is a separate TCPA violation at $500 to $1,500 each. Carriers will also suspend your sending number for ignoring STOP commands.
Does a website terms-of-service checkbox count as SMS opt-in consent?
No, not on its own. Consent buried in general terms of service, without a specific standalone SMS disclosure that meets all FCC requirements, does not satisfy prior express written consent. Courts have rejected terms-of-service consent arguments in TCPA cases repeatedly. The disclosure must sit close to the consent mechanism, read clearly, and speak specifically to text messaging from the named sender.
What is double opt-in for SMS and do I legally need it?
Double opt-in means sending a confirmation text after the initial sign-up, asking the consumer to reply YES or confirm with a PIN before you add them to your list. Federal law does not require it, but it creates a second timestamped record entirely inside your control, which is strong evidence in any dispute about whether consent was given. The CTIA recommends it as a best practice. For high-volume campaigns or purchased lead lists, the extra friction is worth the legal protection.
Do state laws add SMS opt-in requirements beyond the TCPA?
Yes. Florida's Telemarketing Act restricts certain commercial texts to Florida residents independently of the TCPA. California's CCPA and related privacy laws affect how you collect and store consent data. Washington, Texas, and several other states have telemarketing statutes with SMS implications. State laws can run stricter than the TCPA, and a state violation does not require the ATDS technical debate some federal defenses rely on. Always check the laws of the states where your recipients live.
Is consent from a lead vendor valid for TCPA SMS compliance?
Only if the consent named your company specifically and was obtained under FCC 24-17's one-to-one consent requirement, effective January 27, 2025. Generic marketing partners consent language from a shared lead form no longer qualifies. Ask your vendor for documentation showing the exact disclosure language the consumer saw, confirming it named your company by name, with a timestamp and IP address record.
What is 10DLC registration and does it affect SMS compliance?
10DLC (10-digit long code) is the US carrier registration system for A2P (application-to-person) business texting on standard 10-digit numbers. Since 2021, major carriers require businesses to register their brand and campaigns with The Campaign Registry before sending A2P texts. Without registration, messages get filtered or blocked. 10DLC registration does not substitute for TCPA consent compliance, but failing to register means your compliant messages may never arrive.
Sources
- FTC, CAN-SPAM Act Compliance Guide for Business: CAN-SPAM governs commercial email, not SMS; sets opt-out window of 10 business days; scope limited to electronic mail messages
- Cornell LII, 47 U.S.C. § 227 Telephone Consumer Protection Act: TCPA provides statutory damages of $500 per violation, trebled to $1,500 for willful violations; private right of action; applies to texts to cellular numbers
- Florida Legislature, Florida Telemarketing Act § 501.059: Florida's Telemarketing Act contains restrictions on commercial text messages to Florida residents independent of federal TCPA
- Top Class Actions, Vibes Media TCPA settlement: Vibes Media settled a TCPA class action for $13 million in 2019
- FTC, Dish Network Do Not Call penalty announcement (June 2017): Dish Network agreed to pay over $280 million in 2017 to settle FTC and state AG actions including improper telemarketing; largest Do Not Call penalty at the time
- Cornell LII, 28 U.S.C. § 1658 statute of limitations: Federal catch-all statute of limitations is four years, which governs most TCPA private claims
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Facebook v. Duguid narrowed the ATDS definition to systems using random or sequential number generators, limiting TCPA exposure for certain dialing platforms
- FCC, 47 C.F.R. § 64.1200 implementing regulations (eCFR): FCC's implementing regulations define prior express written consent and its required elements for autodialed and prerecorded calls and texts under the TCPA; the 2012 omnibus order (FCC 12-21) established these requirements