Last updated 2026-07-10

TL;DR
CTIA guidelines require documented opt-in before any commercial text, clear brand identification in every message, and honoring opt-outs within 10 minutes. Break them and carriers filter your traffic, reject your 10DLC campaign, or shut your program down overnight. TCPA liability runs $500 to $1,500 per text on top. CTIA rules sit above FCC law and the carriers enforce them.
What are the CTIA SMS compliance guidelines and who do they apply to?
The CTIA is the trade group that represents U.S. wireless carriers. It publishes messaging guidelines that every carrier, aggregator, and application-to-person (A2P) sender has to follow if they want texts to reach phones. These are not statutes. They are carrier-enforced rules that sit next to federal law and, in a few places, ask for more than the law does. [1]
If you send outbound sales or marketing texts, they apply to you. Full stop. It does not matter whether you have a list of 200 leads or a CRM pushing millions of messages a month. Carriers enforce at the infrastructure layer. Messages that break the rules get filtered, blocked, or cause your 10DLC campaign to be rejected before a single text goes out.
Two documents matter. The CTIA Messaging Principles and Best Practices covers consent, content, and opt-out for all A2P SMS, and was last updated in 2023. [1] The separate Short Code Monitoring Handbook applies to shared and dedicated short codes.
Here is the practical takeaway. Treat CTIA guidelines like carrier law, because the carriers do.
How do CTIA guidelines differ from TCPA requirements?
This is where teams get tripped up. The TCPA (47 U.S.C. § 227) is federal law, enforced by the FCC and through private lawsuits. CTIA guidelines are industry rules, enforced by carriers blocking your traffic. They overlap heavily on consent. They are not identical. [2]
The TCPA requires prior express written consent before you send commercial texts to a mobile number with an autodialer. The statute sets damages at $500 per message, up to $1,500 for willful violations. [2] CTIA goes further in a few concrete ways: opt-outs honored within 10 minutes, a specific opt-in confirmation message after someone subscribes, and message frequency disclosed at opt-in.
Here is the difference that should keep you up at night. A carrier can block your traffic today, no lawsuit needed. A TCPA plaintiff has to file in federal court and wait. Carrier filtering is faster, and it can kill your entire SMS program overnight.
For cold text message marketing, both sets of rules bite. Build to the stricter of the two on every point and you satisfy both.
| Requirement | TCPA (47 U.S.C. § 227) | CTIA Guidelines (2023) |
|---|---|---|
| Consent standard | Prior express written consent | Opt-in, documented |
| Opt-out deadline | Promptly (FCC guidance says reasonable) | Within 10 minutes |
| Opt-in confirmation | Not explicitly required | Required |
| Frequency disclosure | Not required | Required at opt-in |
| Quiet hours | 8am-9pm local time | 8am-9pm local time |
| Enforcement | FCC, private lawsuits | Carrier filtering, campaign rejection |
| Maximum penalty | $1,500/message (willful) | Traffic blocking, program termination |
What counts as valid opt-in consent under CTIA rules?
CTIA recognizes a few consent types, and for outbound sales the one you almost always need is express written opt-in. [1]
Express written consent means the person actively agreed to get texts from your specific brand, for the specific kind of messages you send, through a method that leaves a durable record. A checked box on a web form. A keyword texted to your number. A signed paper form. Any of those work, as long as the disclosure is clear. The disclosure has to name the brand, say recurring automated messages may follow, note message-and-data rates, state the expected frequency (approximate is fine), and link to your privacy policy and terms.
Two things do NOT create valid opt-in. Buying a list and texting everyone on it. Consent is not transferable, and a lead opting in for one company is not opting in for yours. And burying consent in general terms of service where nobody would notice it. The FTC and FCC have both addressed this, and CTIA echoes it. [8]
The opt-in confirmation message is something CTIA mandates that the TCPA never spelled out. After someone opts in, send one confirmation text: your brand name, a short program description, message frequency, message-and-data rates, HELP and STOP instructions, and a link to terms if you have them. Keep it non-promotional.
Document everything. Method of consent, timestamp, IP address for web forms, the exact disclosure language shown, the number that opted in. When a demand letter shows up, that record is your defense. There is no other defense.
What are the opt-out rules outbound sales teams must follow?
CTIA's opt-out rules are strict and specific. Any inbound message containing STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT has to trigger an opt-out, and you have to honor it within 10 minutes. [1]
After the opt-out you send one final confirmation. It confirms the opt-out was processed and that no more messages are coming. It can include a short note on how to re-subscribe. It cannot be promotional. That confirmation is the last text you are ever allowed to send that number for this program unless they opt back in.
Sales teams get a few things wrong here. Some CRM setups let reps manually text from the same number after a list-level opt-out. That is a violation. Opt-out applies at the number level for the whole program, across every marketing list. Others miss alternate spellings and punctuation. Your opt-out engine has to catch STOP with a trailing period, capitalization quirks, and obvious misspellings that show clear intent.
Honoring opt-outs also means you do not re-add those numbers to a new campaign, you do not buy a "fresh" list that happens to contain them, and you do not call instead of texting as an end-run (that opens separate TCPA exposure). The do not call list and your SMS opt-outs are separate registries, but courts have found that ignoring a clear objection in one channel creates risk in both. [2]
What is 10DLC registration and why does it matter for sales SMS?
10DLC (10-digit long code) is the carrier-mandated registration system for A2P texts sent from standard 10-digit numbers. AT&T, T-Mobile, and Verizon all require it. The Campaign Registry (TCR) is the neutral hub where brands sign up. [4]
For outbound sales teams, this is the most operationally important piece of SMS compliance right now. Send A2P texts from an unregistered number and carriers throttle or block them. Registration makes you declare your brand, use case (sales, notifications, alerts), sample message content, and consent method. Carriers review it and can reject campaigns that fall short. [4]
The fees are small. As of 2024 the one-time brand registration fee runs around $4 through most platforms. Campaign fees run roughly $10 to $15 per campaign per month depending on your provider. These numbers move, so confirm with your provider, but the order of magnitude is tiny next to the risk of running unregistered. [4]
Carriers have been blunt about one thing. Register a campaign as "notifications" and then send promotional sales texts, and that mismatch is itself a violation. Your use case has to match what you actually send. Campaigns flagged for misrepresentation get suspended, and re-registration can take weeks.
Short codes (5 or 6 digits) have their own registration path and need carrier approval. Toll-free numbers have their own verification. For most small outbound teams, a properly registered 10DLC campaign is the right place to start.
What content rules apply to outbound sales texts under CTIA guidelines?
CTIA's Messaging Principles include a prohibited content list that carriers use to filter traffic. Some categories are blocked no matter what consent you hold. [1]
Absolute blocks: sexually explicit content, hate speech, content promoting illegal activity, and anything that facilitates phishing or fraud. No exceptions. Filtering here is aggressive and automated.
Other categories need special handling or get blocked by some carriers. Cannabis messages are blocked by most carriers regardless of state law. High-risk financial services like payday loans and debt consolidation face heavy filtering and need explicit carrier approval. Firearms accessories, alcohol, and some pharmaceutical categories also draw restrictions.
For mainstream sales, the working rules are short. Identify your brand in every message, past the confirmation. No misleading or deceptive claims. No URL shorteners that hide the real destination (many carriers filter those). Include opt-out instructions periodically. Do not misrepresent what the message is about.
CAN-SPAM covers email; SMS has no direct federal content equivalent. But the FTC Act's ban on deceptive practices covers texts, and state consumer protection laws pile on in many places. California's CPRA and Florida's mini-TCPA both have text-specific provisions. [5]
Frequency matters too. CTIA expects the frequency you disclosed at opt-in to match what you actually send. Someone opted in for "up to 4 messages per month" and you send 20? That is a consent scope violation even if the original opt-in was clean.
What sending time restrictions apply to outbound SMS?
Both TCPA and CTIA hold sending hours to 8 a.m. through 9 p.m. in the recipient's local time zone. [9] The TCPA makes it a legal requirement. CTIA echoes it. Text a California lead at 10 p.m. Eastern from your New York office and you have hit them at 7 p.m. Pacific, which is fine. Text that same lead at 10 p.m. Pacific and you have broken the rule.
The trap is time zone data quality. Area codes lie. A 415 number (San Francisco) might belong to someone who moved to Denver years ago. The reliable approach is to normalize against the ZIP or the device's real location, not the billing number, or to default to the most restrictive read when you have no good data.
For sales specifically, a 9 a.m. to 7 p.m. local window buys you a buffer worth having. The law allows 8 a.m. to 9 p.m., but a late-evening text that draws a complaint still costs you legal fees to defend even when you were technically inside the line.
Holiday texting has no specific prohibition under CTIA or TCPA. Carrier filtering does tighten around major holidays when spam volume spikes. Sending sales blasts on Christmas or Thanksgiving is legal, and it will earn you higher filter rates and more opt-outs.
How does carrier filtering actually work and how do you avoid it?
Carriers filter and throttle messages that look like spam or break CTIA rules, using both automated systems and manual review. The automated side watches volume patterns, URL reputation, content keywords, and whether your sender is registered. Manual review kicks in for reported spam and high-volume campaigns. [4]
Common triggers: too many messages per second from one number (velocity limits), identical body text across thousands of sends (looks like a blast, not A2P), URLs pointing to known spam domains or shorteners that do not resolve cleanly, sending from unregistered numbers, and scam-flavored phrases ("you won", "free gift", "click here now").
What actually cuts filtering: proper 10DLC registration with accurate campaign data, real personalization so the body varies across recipients, branded tracked links from a domain you own, staying inside your declared volume ranges, and never buying numbers from services that recycle them without clearing old campaigns first.
Spam complaints feed the filtering score too. When a recipient reports your text using their carrier's built-in tool, that signal goes back to the carrier and the aggregator. Too many complaints relative to your volume triggers automatic throttling. Carriers do not publish the threshold, but messaging platforms generally flag accounts above a 0.3% complaint rate. [4]
Scrubbing your list against mobile phone do not call list registries and keeping suppression lists current keeps complaint rates down, because the people who already objected are the ones most likely to report you.
What are the penalties for violating CTIA SMS guidelines?
CTIA itself does not fine you. The pain comes from three directions: carriers who block your traffic, the FCC under the TCPA, and private plaintiffs also under the TCPA. [2]
Under 47 U.S.C. § 227, a private plaintiff may recover "the greater of actual monetary loss from such a violation, or $500 in damages for each such violation." For willful violations, courts may triple that to $1,500 per message. [2] In a class action covering 100,000 recipients, the math gets ugly fast.
Recent settlements show the exposure. The Cash App TCPA class action settlement and the Credit One TCPA settlement both show how per-message liability compounds when programs send at scale without proper consent. Carriers have also started fining aggregators for passing non-compliant traffic, and those costs land on the sender through service termination or surcharges.
FCC enforcement is a separate track. The FCC issued a $225 million fine in 2021 over illegal robocalls (a phone-call case under the TCPA, not SMS) and has signaled the same scrutiny for commercial texts. [6] The 2023 one-to-one consent rule, which took effect in January 2025 and was later vacated by a federal court, showed where regulatory pressure is heading even though that specific rule did not survive. [3]
For small teams, the realistic path looks like this. A complaint triggers an investigation. The investigation reveals no consent documentation. A class action or demand letter follows. Then a settlement or judgment. The cold call equivalent is comparable, but SMS builds a cleaner paper trail of violations because every message is logged.
How should outbound sales teams build a CTIA-compliant SMS program?
Build the consent infrastructure before you send a single message. A web opt-in form with the required disclosures already on it. A confirmed opt-in flow in your messaging platform. A suppression list that your CRM and messaging tools share in real time.
On the web form, put the consent disclosure right next to the phone number field, not in a footer. Name your company, state the message type (sales-related texts), give the approximate frequency, include the message-and-data rates line, and link to terms and privacy policy. Pre-checked boxes are not valid consent under TCPA or CTIA. [1]
Map the opt-out flow before launch. Pick a platform that handles STOP and HELP automatically and confirm it responds inside the 10-minute window. Do not run opt-out compliance on manual processes. One missed opt-out is one lawsuit.
For teams running cold calling alongside SMS, keep separate consent records per channel. A prospect who gave you a number for a callback gave you call consent, not text consent. Want to text them? Get explicit written opt-in. Check the do not call telemarketer list for voice and keep a separate SMS suppression file.
LeadCompliant's free TCPA compliance kit includes a consent disclosure template and a pre-send checklist built for outbound sales teams. Good starting point before you spend money on legal review. Not a substitute for counsel on your specific program.
Audit quarterly. Check your opt-in confirmation messages, run your content against CTIA's prohibited list, confirm your 10DLC registration is current and the use case still matches what you send, and verify opt-out handling is working. Programs drift. A quarterly review catches the drift before it becomes a lawsuit.
Do CTIA guidelines apply to one-on-one sales texts from a rep's phone?
This one is genuinely contested. CTIA guidelines and the A2P rules target application-to-person messaging, meaning automated or bulk sends from platforms. A single rep manually typing individual texts from a personal cell is generally treated as P2P (person-to-person) and falls outside 10DLC registration and most CTIA A2P rules. [1]
Here is where it blurs. If your rep uses a texting platform or a sales engagement tool that sends programmatically on their behalf, even when it feels like one-on-one outreach, that can count as A2P. The FCC has used "capacity" to decide autodialer applicability under the TCPA, rather than actual use. A platform that has the capacity to send automated messages can carry TCPA liability even when a human hits send on each one. [2]
The autodialer definition has been fought over hard. The Supreme Court's 2021 ruling in Facebook v. Duguid held that a random or sequential number generator has to be involved, which narrowed the definition. It did not erase risk for CRM-driven texting, and courts still split on the edge cases. [7]
Practical advice: if a rep uses any software to text prospects, treat it as A2P for consent and compliance. Building a consent-based program costs far less than defending a class action on the theory that your sales tool is not an autodialer.
Where can I find the actual CTIA guidelines documents?
The primary documents come straight from CTIA and are free to read.
The CTIA Messaging Principles and Best Practices is the core document for A2P SMS. It covers consent types, opt-in and opt-out, content standards, and carrier best practices. The current version was updated in 2023 and is published at ctia.org. [1]
The CTIA Short Code Monitoring Handbook covers programs on 5 or 6-digit short codes. It comes from the Short Code Registry and is also available through CTIA.
The Campaign Registry (TCR) publishes the 10DLC documentation: registration requirements, campaign types, and fees. That is where you register your brand and campaigns. [4]
For the underlying law, 47 U.S.C. § 227 is the TCPA statute, available through the Cornell Legal Information Institute at law.cornell.edu. [2] FCC implementing rules live in 47 C.F.R. Part 64, and FCC declaratory rulings are searchable at fcc.gov. [6]
In California, the CPPA (California Privacy Protection Agency) publishes guidance on how the CPRA applies to SMS marketing, which layers on top of CTIA and TCPA. [5] Florida, Texas, Oklahoma, and Washington all have state telemarketing or SMS laws worth reviewing if you market into them. [10]
Frequently asked questions
Do CTIA guidelines have the force of law?
No. CTIA guidelines are carrier-enforced industry rules, not statutes. But carriers enforce them at the infrastructure level, so non-compliant traffic gets filtered or blocked without any court involvement. The legal obligations come from the TCPA (47 U.S.C. § 227) and FCC regulations. In practice, violating CTIA guidelines and violating the TCPA tend to overlap, so both risks hit at once.
Can I text someone who gave me their number on a business card?
Generally, no. A number on a business card is consent to be contacted, but courts and the FCC have held it is not written consent to receive automated or bulk marketing texts. You need explicit opt-in that names your company and the message type. Safest move: ask directly when you exchange the number and document the consent separately.
How long do I have to honor an opt-out under CTIA rules?
CTIA's Messaging Principles require opt-outs honored within 10 minutes. The TCPA says "promptly," which the FCC has not defined with a specific number of minutes. The 10-minute standard is stricter, so build your system to meet it. A delayed opt-out that reaches the recipient the next day can support a TCPA claim, since that post-opt-out message is an unconsented text.
What happens if my 10DLC campaign gets rejected?
Your messages will not deliver on that campaign until you fix it. Common rejection reasons: a mismatch between your stated use case and your sample messages, missing consent disclosures, a brand name that does not match public records, or a use case in a restricted category. You correct the application and resubmit. Resolution runs from days to several weeks depending on the carrier review queue.
Is texting the same number multiple times without a response a TCPA violation?
Not automatically, as long as valid consent exists and you stay within the frequency disclosed at opt-in. But repeat texts to a silent number can look like harassment and drive up spam complaints, which hurts your carrier filtering score. If someone never responds across several messages, pull them from active sequences. Persistent texting without engagement is a legal risk indicator.
What disclosures must be in every outbound sales text?
Every message has to identify your brand. Opt-out instructions (STOP to opt out) should appear in the first and periodic messages, though CTIA does not require them in every single text once the program is established. The opt-in confirmation must include brand name, program description, frequency, message-and-data rates, STOP and HELP instructions, and a terms link. Individual sales messages after that need at least the brand identifier and cannot be deceptive.
Can I buy a list of phone numbers and start texting them for sales?
No. Consent is not transferable. Buying a list and texting those numbers without your own direct opt-in is a TCPA violation and a CTIA violation. The fact that another company collected the numbers gives you nothing. Plaintiffs' attorneys hunt specifically for purchased-list texting because it creates clean liability with no consent defense available.
How does the FCC's one-to-one consent rule affect outbound SMS?
The FCC issued a one-to-one consent rule in 2023 that would have required SMS consent to be specific to a single company rather than shared across a partner network. A federal court vacated it in early 2025 before it fully took effect. The direction of regulatory pressure is clear, and CTIA's own guidelines already recommend company-specific consent. Building for one-to-one specificity is the lower-risk path regardless of the rule's status.
What is the difference between a short code and a 10DLC number for sales texting?
Short codes (5-6 digits) support very high volume, go through a separate carrier approval process, and cost more to set up and maintain. 10DLC numbers look like standard phone numbers, are the norm for most business SMS, cost less, and register through The Campaign Registry. For most sales teams sending a few thousand messages a day or fewer, 10DLC is the right choice. Short codes make sense only at very high volume or when throughput speed is critical.
Are there states with SMS rules stricter than TCPA or CTIA guidelines?
Yes. Florida's Telephone Solicitation Act, effective 2021, extends TCPA-like protections to autodialed texts, with a private right of action and up to $500 per violation. Washington and Oklahoma have their own solicitation statutes that can reach SMS. California's CPRA adds data use restrictions. If you text into multiple states, the strictest applicable state law sets your floor, not the TCPA. Review the law for every significant market.
How do I check if a number is on a do-not-contact list before texting?
The National DNC Registry (donotcall.gov) covers voice calls primarily. For SMS you rely on your own internal suppression list of opted-out numbers plus any industry DNC databases your provider accesses. Some compliance vendors scrub numbers against multiple suppression lists. Keeping your own opt-out database updated in real time is the non-negotiable baseline. Third-party scrubbing is an extra layer, not a substitute.
What should I do if a customer threatens to sue over a text message?
Stop all texting to that number immediately and preserve every record. Gather your consent documentation, the opt-in timestamp, the exact consent language shown, and all message logs. Delete nothing. Forward the complaint to legal counsel before you respond. Many demand letters settle for small amounts when you have clean consent records. Without them, exposure runs $500 to $1,500 per message received. This is not legal advice; consult an attorney.
Does CTIA apply to B2B texting, or only consumer messages?
CTIA guidelines apply to A2P messaging broadly, B2B included. The TCPA's consent requirements apply to texts to mobile numbers regardless of whether the recipient is a business person or a consumer. Class action risk is lower in pure B2B because certifying a class of business recipients is harder, but individual TCPA claims are still possible. Carrier filtering treats B2B traffic exactly like consumer traffic.
How often should I include opt-out instructions in ongoing message campaigns?
CTIA guidelines do not set a mandatory frequency after the opt-in confirmation. Common industry practice is to include STOP instructions in the first message of a new sequence and then periodically, roughly every 5 to 10 messages or once a month for ongoing programs. Including it in every message is safe but feels spammy. Omitting it entirely after the confirmation is technically allowed but raises complaint rates when frustrated recipients cannot figure out how to stop.
Sources
- CTIA, Messaging Principles and Best Practices (2023): CTIA requires opt-in consent, opt-out honored within 10 minutes, opt-in confirmation messages, and frequency disclosure for A2P SMS programs
- Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (TCPA): TCPA provides $500 per violation and up to $1,500 for willful violations; requires prior express written consent for commercial texts to mobile numbers
- FCC, In the Matter of Rules and Regulations Implementing the TCPA (2023 one-to-one consent order): FCC issued a 2023 rule requiring one-to-one consent for SMS marketing, subsequently vacated by federal court in 2025; FCC and CTIA both address transferability of consent
- The Campaign Registry (TCR), 10DLC Registration Requirements: 10DLC brand registration costs approximately $4 one-time; campaign fees run approximately $10-$15 per month; carriers require registration for A2P SMS; complaint rate threshold for flagging is approximately 0.3%
- California Privacy Protection Agency, CPRA Regulations: California's CPRA adds data use and consent requirements applicable to SMS marketing conducted in California
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court ruled in 2021 that TCPA autodialer definition requires a random or sequential number generator, narrowing but not eliminating TCPA exposure for CRM-driven texting
- FTC, CAN-SPAM Act Compliance Guide for Business: FTC Act prohibition on deceptive practices applies to text messages; CAN-SPAM applies to email but FTC has broader authority over deceptive commercial communications
- Florida Legislature, Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's FTSA effective 2021 extends TCPA-like protections to texts and includes a private right of action with up to $500 per violation