Do SMS messages need opt-in consent? What the law actually requires

Yes, most marketing SMS messages require prior express written consent under TCPA. Learn exactly what opt-in proof you need, what's exempt, and how to stay safe.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-09

Person reviewing SMS opt-in consent form on smartphone at morning desk
Person reviewing SMS opt-in consent form on smartphone at morning desk

TL;DR

Yes. Under the TCPA (47 U.S.C. § 227), sending marketing text messages to a cell phone without prior express written consent exposes you to $500 to $1,500 per message in statutory damages. Purely informational texts have a lower consent bar, but the FCC has made the line thin. If your text sells, promotes, or nudges a purchase, assume written opt-in is required.

What does federal law say about SMS opt-in requirements?

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the federal statute that governs this. [1] Congress passed it in 1991, long before smartphones existed, but the FCC has applied it hard to text messages since a 2003 ruling confirmed that SMS counts as a 'call' under the law. [2]

The statute says it is unlawful to 'make any call... using any automatic telephone dialing system or an artificial or prerecorded voice... to any telephone number assigned to a... cellular telephone service' without prior express consent. [1] The FCC's implementing regulations, at 47 C.F.R. Part 64, set 'prior express written consent' as the standard for telemarketing or advertising texts. [2]

Here is what that means at your desk. If your message promotes a product, service, or sale, you need a signed written agreement from the recipient before you hit send. A checkbox on a web form counts. A paper signature counts. A text-back keyword reply counts if your first message was compliant. A purchased list does not count. A scraped phone number does not count. A business card someone handed you at a trade show does not count.

The FCC reinforced this in its 2012 TCPA order, which tightened the consent rules and killed the existing business relationship exemption for automated calls and texts to cell phones. [2] Since then, 'we had a relationship' is not a defense.

Prior express written consent is an agreement, in writing, that bears the signature of the person called and clearly authorizes the sender to deliver telemarketing messages via autodialer to a specific phone number. [2] It must also state that consent is not a condition of any purchase.

That last piece trips up a lot of companies. If your checkout flow says 'by completing this purchase you agree to receive promotional texts,' you have a consent problem. The FCC is explicit: consent cannot be bundled with a purchase requirement. [2]

Valid consent usually looks like one of these:

  • A standalone checkbox on a web form, unchecked by default, with disclosure language that names your company, describes the message types you will send (for example, 'promotional offers and sale alerts'), discloses that message and data rates may apply, and links to your terms and privacy policy.
  • A keyword opt-in where a consumer texts a word like JOIN to your short code after seeing a compliant advertisement. The ad has to carry the required disclosures.
  • A paper form with a handwritten or electronic signature, same disclosures.

The disclosure language is not optional decoration. A 2023 FCC declaratory ruling clarified that the disclosure must specifically identify the company sending the texts; a generic 'you may receive messages from our partners' does not clear the bar. [3]

For more on building the actual form, see our guide to sms opt-in form best practices.

Are there any SMS messages that do NOT require opt-in consent?

Yes, but the category is narrower than most people assume.

Informational or transactional texts, the ones that deliver a receipt, a shipping confirmation, an appointment reminder, or a one-time password, need only 'prior express consent,' a lower bar than written consent. [2] Prior express consent can be implied from context. If someone gives you their cell number to receive order updates, you have implied consent for those updates. You do not have consent to then send them a promotional text.

Emergency alerts sent by government agencies or public utilities are exempt entirely. [1]

Texts from non-commercial political or charitable organizations sit in a gray zone. The TCPA exempts calls to cell phones made 'for emergency purposes' or with 'prior express consent,' but the FCC has not given political texts a blanket exemption from ATDS restrictions. Individual states, including Florida and Oklahoma, have added their own restrictions. [4]

B2B texting is another area where people assume they are safe. The TCPA does not carve out a B2B exemption. What changes is the practical odds of enforcement. Courts have generally found that a text to a business landline does not trigger TCPA cell-phone protections, but a text to the personal cell of a business contact absolutely does. [5] If your sales team is texting prospects on their personal phones, opt-in is still required.

One more edge case: texts sent manually, one at a time, by a human without any automation, arguably fall outside the ATDS definition. The Supreme Court's 2021 decision in Facebook v. Duguid narrowed the ATDS definition to systems that use a random or sequential number generator. [6] The 'we sent it manually' defense is risky and hard to document. Most compliance attorneys tell you to get consent regardless.

TCPA SMS violation cost thresholds Statutory damages per message under 47 U.S.C. § 227 $500 Standard TCPA violation (per text) $1,500 Willful TCPA violation (per text) $24k FCC maximum forfeiture (per violation) Source: Cornell LII, 47 U.S.C. § 227 (2024)

How much does it cost to get sued for sending texts without consent?

The TCPA sets statutory damages at $500 per violation and up to $1,500 per willful violation. [1] Each text message to each recipient is a separate violation. A campaign that sends one promotional text to 10,000 people without valid consent is a $5 million to $15 million exposure before a single attorney's fee.

This is not theoretical. TCPA class actions are among the most common consumer protection suits filed in federal court. Real settlements give you a sense of scale. Papa John's settled a TCPA class action for $16.5 million in 2013. Rite Aid settled for $4.9 million in 2021. [7] Industry-wide totals are hard to pin down because most cases settle confidentially, so treat any single headline number with caution.

Small outbound teams often think they are too small to get targeted. That is wrong. Plaintiffs' attorneys go looking for small to mid-size companies precisely because they are less likely to have solid compliance documentation, which makes the settlement math favorable. A single annoyed recipient who screenshots your text and calls a TCPA plaintiff firm can set off a class action.

The FCC can also assess its own forfeitures, up to $23,727 per violation under its current schedule. [8]

This is the single biggest recent shift, and a lot of outbound teams missed it.

In December 2023, the FCC issued a report and order requiring that consent obtained through a lead-generation website be 'one-to-one': the consumer must give consent specifically to the company that will contact them, not to a broad category of unrelated sellers. [3] The rule was set to take effect in January 2025.

Before this rule, a common lead-gen move was to have a consumer check a box consenting to be contacted by 'our partners and affiliates,' then sell that lead to dozens of unrelated companies, each of whom would claim TCPA consent. The FCC closed that loophole. [3]

Here is what it means for your outbound team. If you buy leads from a third-party publisher, the consent record has to name you specifically. 'Partners' language does not protect you. You need the consumer to have opted in to your company by name, or a contractual warranty from your lead vendor, plus audit rights to verify the consent record, and ideally a copy of the consent screenshot tied to each phone number.

If you buy leads, review this now. Our lead generation compliance news section covers the FCC order and its implementation timeline in more detail.

One caution: as of this writing, the one-to-one consent rule has faced a legal challenge in the Eleventh Circuit. Check current FCC guidance before relying on any specific implementation date, because litigation can shift timelines.

How do retail and loyalty SMS programs handle opt-in, and what does DSW's approach show?

Retail loyalty programs are a useful real-world model because they handle opt-in at scale under heavy legal scrutiny.

DSW (the shoe retailer) runs one of the larger loyalty SMS programs in retail. Its opt-in flow asks customers to text a keyword to a short code or to check an explicit opt-in box during online account creation. [9] The confirmation message DSW sends back includes the program name, a message frequency disclosure, 'Msg & data rates may apply,' and instructions to text STOP to opt out or HELP for help. That four-part confirmation message matches the CTIA's minimum requirement for compliant short code programs. [10]

The CTIA (Cellular Telecommunications Industry Association) Messaging Principles and Best Practices document is the industry's self-regulatory standard, and carriers widely treat it as a binding requirement for short code and 10DLC access. [10] It calls for clear opt-in disclosure before the first message, an immediate confirmation message, HELP and STOP keyword handling, and a message frequency disclosure. Carriers can and do suspend short codes and 10DLC campaigns that skip these steps.

If you are thinking about running a loyalty or promotional SMS program, the DSW model is worth studying. Separate opt-in from purchase. Be specific about message types. Honor STOP immediately. Keep records of every opt-in event.

See also: sms opt-in for a full walkthrough of building a compliant opt-in workflow.

What records do you need to prove someone opted in?

If you get sued, the burden is on you to prove consent. The FCC treats consent as an affirmative defense, which means you need documented proof, more than a general claim that you 'always get consent.' [2]

Minimum records to keep for each opted-in number:

  • Timestamp of the opt-in event (date, time, timezone)
  • IP address if the opt-in came through a web form
  • The exact disclosure language the consumer saw at the time of opt-in
  • The phone number they opted in from (if keyword)
  • Source URL or form identifier
  • Any confirmation message sent

Retention period: there is no single federal mandate, but most TCPA litigators advise keeping consent records for at least four years, matching the federal statute of limitations for TCPA claims. [1] Some state laws impose longer windows.

If you use a marketing text message service, check whether it logs and exports consent records automatically. Many platforms do, but the export format and retention policy vary. You need to be able to produce a consent record tied to a specific phone number on short notice if your legal team calls.

Do state laws add extra opt-in requirements beyond the TCPA?

Several states do, and some are stricter than the federal floor.

Florida's Telephone Solicitation Act, effective July 2021, bans unsolicited texts and calls to Florida numbers using any automated system. [4] Florida's law does not require proof of an ATDS the way the federal TCPA does after Facebook v. Duguid. Any automated text to a Florida resident without consent is a violation.

Washington State's Commercial Electronic Mail Act applies to commercial texts and requires opt-in consent plus clear identification of the sender. [11]

Texas and Oklahoma have their own mini-TCPA statutes with varying consent requirements. California's CCPA, while primarily a data privacy law, requires businesses to disclose how they collect phone numbers and use them for marketing, which overlaps with SMS consent in practice. [12]

The practical rule for a national outbound program: build your consent collection to meet the strictest state standard, which is generally Florida's. If your opt-in meets Florida's mini-TCPA, it almost certainly meets the federal TCPA. The reverse is not always true.

For teams selling across state lines, our breakdown of tcpa sms compliance covers the state-by-state patchwork in more detail.

How does double opt-in work and do you need it?

Double opt-in means sending a confirmation text after the initial opt-in that asks the subscriber to reply YES (or another keyword) before you add them to your list. The first message goes out, the consumer confirms, then they are in.

Federal law does not require double opt-in. The TCPA requires prior express written consent but does not spell out a two-step confirmation. [1] Double opt-in produces cleaner proof of consent, though, because you have a logged reply from the subscriber's own number, better than a form submission that could theoretically involve a typo or a third party entering someone else's number.

Carriers increasingly prefer double opt-in for 10DLC campaigns. Some carriers' compliance requirements treat double opt-in as a trust signal that lowers the chance of your campaign getting flagged for spam. [10]

For high-volume outbound marketing, double opt-in is worth the modest hit to list size. The people who confirm are genuinely interested. The ones who never reply were unlikely to convert anyway. It also gives you a second timestamp and a confirmed carrier-level interaction as your consent record.

See our sms double opt-in guide for implementation steps and example message copy.

What does a compliant SMS opt-in disclosure actually look like?

Here is what the disclosure needs to contain, based on FCC requirements and CTIA best practices [2][10]:

1. Your company's legal name (not a brand nickname, your actual legal name). 2. A description of the messages: 'promotional offers and new arrival alerts' or 'appointment reminders,' more specific than 'texts.' 3. The sending frequency or a reasonable approximation: 'up to 4 messages per month' or 'message frequency varies.' 4. 'Message and data rates may apply.' 5. Instructions to opt out: 'Reply STOP to unsubscribe.' 6. A link to your terms of service and privacy policy.

A real-world compliant example for a retail web form might read: 'By checking this box, you agree to receive promotional text messages from Acme Shoes LLC at the number provided. Up to 6 messages/month. Message and data rates may apply. Reply STOP to cancel, HELP for help. View our Terms and Privacy Policy.'

The checkbox must be unchecked by default. Pre-checked boxes do not constitute valid consent under the FCC's interpretation. [2]

For specific industries, the disclosure language shifts slightly. Real estate teams, for example, need to name the brokerage and the specific agents or campaign type. See real estate text message marketing for vertical-specific examples.

If you want to check whether your current opt-in language holds up, LeadCompliant's free sms opt-in checker walks you through the required elements against FCC and CTIA standards.

What happens if someone opts out and you text them again?

Texting someone after they have replied STOP is one of the most expensive mistakes in SMS compliance. Courts and the FCC treat post-opt-out contact as a willful violation, which puts you straight into the $1,500-per-message tier. [1]

The CTIA requires that STOP commands be honored within one business day. [10] Most modern SMS platforms handle this automatically. The problem is manual overrides. A sales rep re-adds a number to a new campaign list without checking the opt-out database. A data sync error reactivates a scrubbed number. That is how good companies get sued.

Operationally, you need a suppression list that is system-wide, not campaign-specific. If someone opts out of Campaign A, they should not receive Campaign B. This sounds obvious. It is a common failure point when companies run multiple SMS campaigns on different platforms or through different agencies.

You are allowed to send one final confirmation text after a STOP reply, something like 'You have been unsubscribed from Acme Shoes texts. Reply START to resubscribe.' That message does not count as a violation. Any message beyond that does.

How do you audit your current SMS program for opt-in compliance gaps?

Start with the consent records. Pull a random sample of 50 phone numbers from your active SMS list and verify that each one has a documented opt-in event with a timestamp, an IP address or confirmed keyword reply, and the disclosure language they saw. If you cannot produce that for a meaningful chunk of the list, you have a compliance gap.

Next, check your opt-in forms. Are they using pre-checked boxes? Is the disclosure language specific to your company, or generic partner language? Does it describe the message types accurately? Is the privacy policy link live and current?

Check your suppression list management. How often is your active list scrubbed against your opt-out database? Is it automated or manual? If manual, how often does it actually run?

Review your vendor chain if you buy leads. Do your contracts include TCPA compliance warranties from the vendor? Can you audit their consent records? Do they hand you the specific consent timestamp and disclosure language per lead?

The tcpa hub on LeadCompliant has a free compliance checklist that walks through each of these audit steps, and the compliance kit includes template vendor contract language for lead-gen warranties.

For teams using third-party platforms, our text message marketing software comparison includes a compliance features column showing which platforms log consent records automatically.

Frequently asked questions

Do I need opt-in for every type of SMS message, or just marketing?

Marketing and promotional texts require prior express written consent under the TCPA. Purely transactional or informational texts, like order confirmations or appointment reminders, need only prior express consent, which can be implied from the customer relationship. The line blurs when an 'informational' text includes a promotional offer. When in doubt, get written consent. The FCC has consistently read ambiguous cases against the sender.

Can I text customers who gave me their number on a contact form or business card?

No, not for marketing. Voluntarily giving you a phone number does not equal consent to receive promotional texts. The TCPA requires that the person specifically authorize automated marketing messages from your company. A contact form that collects a number for callback purposes is consent for a call, not for an ongoing SMS campaign. You need a disclosure at the point of collection that covers SMS marketing specifically.

How do I handle opt-in for leads I buy from a third party?

Since the FCC's 2023 one-to-one consent ruling, the consent must specifically name your company. Generic 'partner' language on the lead vendor's form does not protect you. You need a written warranty from the vendor that each lead opted in to your company by name, plus a copy of the consent record tied to each phone number. Treat any lead that cannot meet that standard as unconsented.

Does the TCPA apply to SMS messages sent from a regular cell phone without an autodialer?

After Facebook v. Duguid (2021), the Supreme Court narrowed the ATDS definition to systems that generate numbers randomly or sequentially. A human manually typing and sending individual texts arguably falls outside the ATDS definition. Most legal advisors do not recommend relying on this. Many state mini-TCPA laws, including Florida's, do not require ATDS proof at all, so manual texts can still create liability in certain states.

What is the statute of limitations on TCPA SMS claims?

Federal courts generally apply a four-year statute of limitations to TCPA claims under 28 U.S.C. § 1658, the general federal catch-all limitations period. Some circuits have applied a shorter period. The practical takeaway: keep your consent records for at least four years from the last message sent to each number. State law claims may carry different limitations periods, sometimes longer.

Nonprofits and political organizations are not fully exempt. The TCPA's automated call restrictions apply to any call or text to a cell phone without consent, regardless of whether the sender is commercial. Some FCC orders have provided narrow exemptions for healthcare and emergency notifications. Political texts to cell phones using an ATDS still require consent. Individual states vary, so check your state's law before assuming an exemption applies.

What is the CTIA and why does its guidance matter for SMS opt-in?

The CTIA (Cellular Telecommunications Industry Association) is the U.S. wireless industry trade group. Its Messaging Principles and Best Practices document is not federal law, but carriers, including AT&T, Verizon, and T-Mobile, treat it as a binding condition for short code and 10DLC campaign registration. Violating CTIA standards can get your campaign suspended at the carrier level, which cuts off your ability to send texts regardless of legal status.

How quickly must I honor a STOP opt-out request?

The CTIA requires STOP requests to be honored within one business day. In practice, most compliant SMS platforms process STOP commands in real time. Texting a subscriber again after they have replied STOP is treated as a willful TCPA violation, meaning statutory damages jump from $500 to $1,500 per message. Your suppression list must be system-wide, not limited to the specific campaign that received the STOP reply.

Is a pre-checked opt-in checkbox legally valid for SMS consent?

No. The FCC's regulations require that prior express written consent be an affirmative action by the consumer. A pre-checked box does not satisfy this because the consumer has not actively agreed to anything. The checkbox must be unchecked by default and must be checked by the consumer themselves. Courts have rejected pre-checked box consent defenses in TCPA litigation. Use unchecked-by-default checkboxes with clear disclosure language.

What should my first text message say after someone opts in?

Your first message, the opt-in confirmation, should include: your company name, a brief description of what they signed up for, message frequency, 'Msg & data rates may apply,' instructions to reply STOP to cancel and HELP for assistance, and optionally a link to your terms. This is both a CTIA requirement for short code and 10DLC access and a best practice for setting subscriber expectations. Keep it under 160 characters if possible.

Do restaurants and local businesses need SMS opt-in the same as large brands?

Yes. The TCPA applies regardless of business size. A local restaurant texting promotional offers to a list of phone numbers needs prior express written consent just as much as a national chain. Small businesses are actually targeted by plaintiffs' attorneys because they are less likely to have documented consent records. Our guide on sample text message marketing for restaurants covers compliant opt-in flows for local food service businesses.

No, not reliably. Email marketing consent under CAN-SPAM and SMS consent under the TCPA are separate legal frameworks with different requirements. A consumer who opts in to email marketing has not consented to SMS messages. You need a separate, specific opt-in for SMS that names the company, describes the message type, and discloses SMS-specific terms including message and data rates. Bundling email and SMS consent in a single checkbox is risky.

How do I handle SMS compliance for a B2B outbound sales team?

The TCPA does not have a B2B exemption for cell phones. If your reps are texting prospects on personal cell numbers, consent is still required. The practical workaround many B2B teams use is to send an initial compliant outreach message that identifies the sender and invites the prospect to reply to continue the conversation, treating a reply as express consent for further communication. This is not a guaranteed safe harbor, but it is a common documented approach. Track every interaction.

Sources

  1. Cornell LII, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits using an ATDS to call/text cell phones without prior express consent; sets damages at $500 per violation and $1,500 for willful violations
  2. Florida Legislature, Florida Telephone Solicitation Act (Section 501.059, Florida Statutes): Florida mini-TCPA bans automated texts to Florida residents without consent and does not require ATDS proof matching federal Facebook v. Duguid standard
  3. FTC, Complying with the Telemarketing Sales Rule: TCPA cell-phone protections apply to personal cell numbers regardless of business context; no general B2B exemption for cell phones
  4. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition in 2021 to systems that use random or sequential number generators, excluding many modern dialing systems from the strictest TCPA ATDS restrictions
  5. FTC, TCPA Enforcement Actions (FTC.gov): TCPA class action settlements have reached tens of millions of dollars; Papa John's settled for $16.5 million and Rite Aid for $4.9 million in documented TCPA cases
  6. DSW Designer Shoe Warehouse, SMS Terms and Conditions: DSW opt-in SMS program requires keyword or checkbox opt-in, sends confirmation message with STOP/HELP instructions, message frequency disclosure, and message and data rates disclosure
  7. Washington State Legislature, Commercial Electronic Mail Act (RCW 19.190): Washington State's Commercial Electronic Mail Act applies to commercial text messages and requires opt-in consent and sender identification
  8. California Attorney General, California Consumer Privacy Act (CCPA): California CCPA requires businesses to disclose how they collect and use personal information including phone numbers for marketing purposes, overlapping with SMS consent practices

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit