FCC SMS opt-in rules: what you must do before you text

The FCC's 2024 order tightened SMS opt-in rules hard. Learn what written consent now requires, what fines look like, and how to stay legal. 155 chars.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-10

Person holding a smartphone at a desk with a notepad beside them
Person holding a smartphone at a desk with a notepad beside them

TL;DR

The FCC and TCPA require prior express written consent before you send marketing texts to any consumer cell phone. The FCC's 2024 one-to-one consent order killed the list-sharing loophole, so each seller has to get its own opt-in naming itself. Violations run $500 to $1,500 per text. Consent has to be written, clear, and documented before the first message goes out.

What does FCC SMS opt-in actually mean?

Before you send a single marketing text to a consumer's cell phone, you need their written permission, and that permission has to name you specifically as the sender. That's the whole rule in one sentence.

The legal foundation sits in the Telephone Consumer Protection Act, 47 U.S.C. § 227, which prohibits using an automatic telephone dialing system or an artificial or prerecorded voice to call or text a wireless number without prior express consent [1]. Congress tasked the FCC with writing the rules that put that statute into practice, and those rules live at 47 C.F.R. § 64.1200.

Marketing texts require "prior express written consent," a higher bar than the "prior express consent" standard that covers purely informational messages. Written consent means the consumer took an affirmative step. It does not mean you buried opt-in language in fine print they scrolled past.

The FCC tightened all of this in its December 2023 order (FCC 23-107), with the key provisions taking effect in 2025. That order closed what the FCC called the "lead generator loophole," where one consent form on a comparison-shopping or lead-gen site could authorize dozens of unrelated sellers to text the same person. That model is now illegal [2].

Run any outbound SMS program and this framework covers you: sales, follow-ups, promotional appointment reminders, drip campaigns. The rules do not carve out small businesses.

The FCC's December 2023 Report and Order (FCC 23-107, released January 2024) is the biggest structural change to SMS consent in over a decade [2]. Consent now has to be one-to-one. A consumer's opt-in can authorize exactly one seller. Not a category of sellers. Not a partner network. Not a "brands we work with" list.

Before this rule, lead generation sites routinely used language like "By submitting this form, you agree to be contacted by us and our marketing partners." One checkbox could unlock 50 companies' texting rights. The FCC found that this practice "contravenes the consumer protection purposes of the TCPA" [2] and ordered it stopped.

Under the new rule, the consent disclosure has to clearly and conspicuously identify the specific seller who will send the texts. Buy leads from a third party, and you cannot rely on that third party's consent language unless it named your company at the point of collection. Most purchased lead lists are now unusable for SMS without getting consent again, directly.

The rule also brought back a "logically and topically associated" requirement. The messages the consumer receives have to relate to the context in which they gave consent. Someone who filled out a form about auto insurance cannot be texted about home equity loans.

This is not a grace period situation. Still running a multi-seller consent model? You are exposed right now.

For a running feed of how the FCC and courts apply these changes, the lead generation compliance news section covers active enforcement and new interpretations.

What are the specific elements a valid SMS opt-in must include?

A compliant opt-in disclosure has seven parts, and missing even one undermines the whole thing. The FCC's rules and FTC guidance together define the list. Treat it as a checklist you cannot skip items on.

Clear identification of the sender. The disclosure has to name the specific company that will send texts. "You may be contacted by us or our partners" fails the one-to-one test now [2].

Disclosure of the nature of the communications. Consumers need to know they are agreeing to marketing messages, more than service updates. Saying "receive updates" when you plan to send promotional offers is a misrepresentation.

Disclosure that consent is not a condition of purchase. This comes straight from 47 C.F.R. § 64.1200(f)(9). You cannot condition a sale on the consumer agreeing to receive marketing texts, and the disclosure has to say so explicitly [3].

Message frequency disclosure. Standard practice, and a requirement under most wireless carriers' messaging guidelines, is to state how often messages will come. Something like "up to 4 messages per month."

Disclosure of potential message and data rates. The phrase "Message and data rates may apply" belongs in your opt-in confirmations.

A clear way to opt out. You have to tell consumers they can reply STOP to unsubscribe. That's both an FCC requirement and a carrier requirement.

An affirmative act by the consumer. Pre-checked boxes do not satisfy written consent. The consumer has to actively check a box, sign a form, reply to a keyword, or take some other deliberate step [1].

One practical note. Keeping a record of exactly when, how, and on what page a consumer gave consent matters as much as the consent language itself. In litigation, you carry the burden of proving consent existed. Without a timestamped record tied to the specific person, you're arguing from weakness.

For help building a form that hits all these marks, the SMS opt-in form: what it must say and how to build one guide walks through the construction step by step.

Key TCPA SMS penalty thresholds Per-text statutory damages and FCC forfeiture limits under current law $500 TCPA damages per text (standard) $1,500 TCPA damages per text (willful) $24k FCC forfeiture per violation (max) $178k FCC continuing violation cap (max) Source: 47 U.S.C. § 227(b)(3) and 47 U.S.C. § 503(b), as cited by FCC (2024)

How does keyword opt-in (texting a word to a short code) work legally?

Keyword opt-in is clean when you run it right. You advertise a short code, invite people to text a word like JOIN or YES, and the consumer starts the conversation, which is strong evidence of consent. But things still go wrong.

The advertisement that prompts the consumer to text in has to carry the required disclosures itself: who will text them, what kind of messages, how often, and the message-and-data-rates notice. The FCC and carriers expect this in the call-to-action, not in an autoresponse after the fact [3].

Then you send a compliant confirmation message right after opt-in. That message confirms enrollment, states the program name, gives opt-out instructions (STOP to cancel), discloses message frequency and possible charges, and provides a HELP contact. This is both an FCC best practice and a requirement under the CTIA Messaging Principles and Best Practices [4].

A keyword opt-in only covers that specific program. Run separate campaigns for different product lines and each one needs its own opt-in. You cannot borrow a consumer's keyword opt-in for one program to text them about a different promotion.

Keyword opt-in shows up most in retail, restaurants, and events. If you're building campaigns for those, the sample text message marketing for restaurants article shows how that opt-in language gets built into a customer-facing promotion.

The difference decides which of your texts are legal, and getting it wrong is one of the most common paths into TCPA litigation. Express consent is enough for non-marketing messages. Express written consent is required for anything promotional.

"Prior express consent" covers non-marketing calls or texts to wireless numbers, like a one-time appointment reminder with no promotional content. Consent here can be implied from context. A patient who hands a doctor's office their cell number has arguably consented to a text confirming a scheduled appointment [1].

"Prior express written consent" is required for any call or text that includes or introduces an advertisement or counts as telemarketing [3]. Marketing SMS lives here, full stop. Written consent means a signed written agreement (electronic signatures count under the E-SIGN Act) that:

  • Is signed by the person being contacted
  • Clearly authorizes that person to receive autodialed or prerecorded calls or texts from a specific seller
  • States the phone number consent applies to
  • Discloses that consent is not a condition of purchase

The practical consequence: oral consent, a verbal "yes" on a recorded call, is not enough for marketing texts. You need something the consumer actively signed or clicked. Courts have consistently rejected the argument that a prior business relationship substitutes for written consent when the messages are promotional [5].

If your team sends texts that mix informational and promotional content in one message, treat the whole message as requiring written consent. That's the safe read.

What are the TCPA penalties for sending texts without proper SMS opt-in?

The numbers are not hypothetical. TCPA sets statutory damages of $500 per violation, which means per text, and up to $1,500 per text when a court finds the sender willfully or knowingly broke the statute [1]. There is no cap per plaintiff, and the statute allows class actions.

Send 100,000 texts without proper consent and you could face $50 million in statutory damages in a class action, at the $500 floor. Courts sometimes reduce class damages in practice. But the exposure is real enough that carriers like Twilio suspend accounts they suspect of TCPA violations before the FCC or plaintiffs ever get involved.

The FCC has its own forfeiture authority too. Under 47 U.S.C. § 503(b), the FCC can impose fines up to $23,727 per violation and up to $177,951 for a single continuing violation, both adjusted annually for inflation [6]. The agency uses it. In 2022, the FCC proposed a $299 million forfeiture against a single robocall operation [7]. That case involved voice calls, but the statutory framework is the same.

For SMS specifically, private plaintiffs drive most of the litigation. TCPA is one of the most litigated federal statutes in the country, and plaintiffs' attorneys watch for companies running non-compliant text campaigns. A single complaint to the FCC can trigger an investigation that surfaces a broader pattern.

For a fuller picture of how penalties work and what settlements have looked like, the tcpa sms compliance overview covers enforcement history in detail.

Violation typeMinimum per textMaximum per textAuthority
TCPA statutory damages$500$1,500 (willful)47 U.S.C. § 227(b)(3)
FCC forfeiture (per violation)Varies$23,72747 U.S.C. § 503(b)
FCC continuing violation capVaries$177,95147 U.S.C. § 503(b)

Does the FCC's SMS opt-in rule apply to B2B text messages?

Anyone who tells you B2B texting is automatically exempt is either mistaken or selling you something. This is a genuinely gray area of TCPA, and the safe read leans toward compliance.

The TCPA applies to calls and texts made to wireless telephone numbers. It does not ask whether the recipient is a consumer or a business owner. Text a sole proprietor's cell phone, which happens constantly in B2B sales, and you're texting a wireless number owned by an individual. The TCPA's protections cover that person [1].

The FCC has not issued a blanket B2B exemption for SMS. There's a narrower exemption for calls to business numbers where the called party is not a "residential subscriber," but it maps poorly to cell outreach because most business cell phones are personal wireless lines.

B2B gets more flexibility in the consent analysis. Courts and the FCC recognize that prior business relationships and the context of professional communications can inform whether consent was implied, mostly for informational messages. For promotional SMS, the written consent requirement applies no matter whether the recipient is a business contact.

Practically: if you're texting individual cell numbers scraped from a database or LinkedIn, you need written consent. If you have a web form on a B2B site where someone submits their cell number and checks a box agreeing to receive texts from your company about your services, that's a workable consent model.

The b2b lead generation platforms gdpr compliance article covers how GDPR layers on top of this for international teams, though the TCPA analysis above governs U.S. numbers regardless of where your company sits.

How do you handle opt-outs properly under FCC rules?

Opt-out handling is where a lot of compliant-on-paper programs fall apart. The FCC requires every marketing text program to honor opt-out requests promptly. The standard, reflected in both FCC guidance and CTIA best practices, is that a STOP reply or its equivalent stops all further marketing messages to that number [4].

Here is what that means in practice.

You have to recognize the standard opt-out keywords: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT. These are the CTIA-standardized keywords your platform should handle automatically. A consumer who sends any of them is opted out, immediately.

After an opt-out, you can send one final confirmation message. It cannot be promotional. It should acknowledge the opt-out and confirm no further messages are coming. Anything beyond that is a potential violation.

You cannot text an opted-out number again, even if they later submit a new inquiry through a web form, unless they explicitly re-consent with the same specificity the original opt-in required. Some platforms suppress opted-out numbers from new list uploads automatically. Verify yours does before you assume it does.

Keep records of opt-outs. The TCPA statute of limitations is four years [5], so retain those logs at least that long.

One trap: if you send from multiple platforms, short codes, or toll-free numbers, opt-out suppression has to sync across all of them. A consumer who opts out from one number and then gets texted from another number tied to the same program has a clean TCPA claim against you.

For more on building a double opt-in system that tracks opt-outs cleanly, see sms double opt in.

What proof of SMS opt-in do you need to survive a TCPA lawsuit?

Consent is an affirmative defense, which means when someone sues you under TCPA, the burden of proving consent falls on you [1]. The plaintiff does not have to prove they never consented. You have to prove they did.

So, for every number in your database, you need evidence of what consent was given, when, on which webpage or form, the exact language of the disclosure at that moment, and the IP address or other identifying detail tied to the submission.

A screenshot of your current opt-in form is not enough if you cannot show that was the form in use when this specific person consented. Courts have seen companies produce clean-looking consent forms updated after the complaint got filed. Judges do not react well to that.

Archive a dated copy of your opt-in form every time you change the language, and store it alongside your consent records so you can match a form version to the timestamp in a consumer's record. Some companies use third-party consent verification platforms that create a cryptographically signed record of the consent event.

If you're using text message marketing software, check whether the platform stores consent timestamps and what its data retention policy is. If it purges records after 12 months and a TCPA claim lands in year three, that's a serious problem.

LeadCompliant's free compliance kit includes a consent recordkeeping checklist and a sample opt-in form template you can adapt. Useful if you're starting from scratch and want to see what a defensible paper trail looks like.

Do different states have additional SMS opt-in requirements beyond FCC rules?

Yes. The biggest one is California's Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), which set separate obligations around how you collect, store, and use personal data, including phone numbers [8].

California does not duplicate the TCPA opt-in requirement. It requires that you tell consumers what data you collect and give them the right to opt out of its sale or sharing. If you buy or sell leads that include California residents' phone numbers, you may carry CCPA obligations on top of your TCPA ones.

Florida passed the Florida Telephone Solicitation Act (FTSA) in 2021, which initially created a separate state-law cause of action for texts sent using an auto-dialer to Florida numbers without consent. The 2023 amendment narrowed the definition of "autodialer" and reduced its scope, but Florida residents keep stronger-than-federal protections in some respects [9].

Texas, Washington, and a handful of other states have consumer protection statutes with texting-adjacent provisions. None currently rivals TCPA or FTSA in litigation risk for outbound SMS.

The takeaway: if you send any meaningful volume to California or Florida numbers, you need to understand those states' rules separately from FCC compliance. A program that's TCPA-compliant can still generate state-law liability if it ignores these layers.

For a broader view of how state laws layer onto federal SMS rules, see the opt-in sms marketing: the complete compliance guide article.

How does the FCC's SMS opt-in rule affect real estate and insurance lead generation?

Real estate and insurance are two of the heaviest users of SMS lead follow-up, and two of the industries hit hardest by TCPA class actions. High-volume purchased lead lists plus aggressive follow-up texting is exactly the pattern the FCC's 2024 one-to-one consent rule was built to break.

The old real estate model: a consumer visits Zillow, Realtor.com, or a similar portal, checks a box saying they want contact, and that consent flows to multiple agents or brokerages. Under the new rule, each brokerage or agent needs its own named consent from that consumer [2]. The portal's consent language has to name your brokerage specifically, more than "real estate professionals."

Insurance ran the same play. Lead aggregators sold one form submission to five competing carriers on the basis of a single consent. That's over. Each carrier needs individual consent. The FCC pointed to insurance lead generation as an example of the problem its 2024 order was solving [2].

This does not mean you cannot text real estate or insurance leads. It means you either capture consent directly on your own web properties, or work only with lead sources who can credibly document that your company was named in the consent disclosure at the point of collection.

Generate your own leads through inbound channels and your compliance posture is far stronger than if you lean on aggregators. For teams building that inbound infrastructure, the real estate text message marketing guide covers what a compliant inbound-to-text funnel looks like for that industry.

What technology or tools do you actually need to run a compliant SMS opt-in program?

The rules only protect you if your systems can execute on them. Compliance is an operational question as much as a legal one, and it comes down to four things working together.

One, a consent capture mechanism that records the timestamp, IP address, form version, and exact consent language at the moment of opt-in. A plain web form with no logging does not do this. Most marketing platforms store submissions with timestamps, but verify before you assume it covers you.

Two, a suppression list system that automatically blocks texts to opted-out numbers, numbers on the National DNC Registry (which some interpretations extend to texts), and numbers where consent was never obtained. Load a raw purchased list into your SMS platform and you need suppression to run before the first message goes out.

Three, a consent recordkeeping archive that holds records at least four years (the TCPA statute of limitations) and preserves historical versions of your opt-in form so you can match form language to specific consent timestamps.

Four, an opt-out workflow that processes STOP replies immediately, sends one confirmation message, and blocks further sends to that number across every sending channel.

Beyond the basics, a lot of teams do better with a dedicated marketing text message service that handles consent logging and suppression natively, instead of bolting these features onto a generic CRM.

LeadCompliant's free tools include a DNC and reassigned numbers checker for a first pass before you load any list into your SMS platform. It does not replace a full compliance audit, but it catches obvious exposure fast.

For teams already on Twilio, the Twilio TCPA compliance: what you actually need to do guide explains how to configure that platform to meet these requirements.

Frequently asked questions

Can I text someone who gave me their phone number on a business card?

Not for marketing, without more. A number on a business card is contact information, not consent to receive promotional texts. You need an affirmative opt-in that names your company, describes the type of messages, and confirms consent is not a condition of any purchase. Texting a cell number from a business card without that opt-in is TCPA exposure, regardless of whether the recipient is a business contact.

Does a website terms-of-service checkbox count as SMS opt-in?

Almost never. A general terms-of-service agreement buried in the signup flow does not satisfy the FCC's requirement for prior express written consent to marketing texts. Consent has to be clear, conspicuous, and specific to receiving autodialed marketing messages from your company. If the consumer did not actively agree to marketing texts, separately from the ToS, you do not have valid consent.

The FCC has not set a specific expiration window for SMS consent. But courts and FCC guidance suggest consent can go stale if a lot of time passes or the consumer's relationship with the sender changes materially. A common industry practice is to treat consent as expired after 18 to 24 months of inactivity and require re-opt-in. Dated consent records let you show freshness if challenged.

What is a compliant opt-in confirmation text?

A compliant confirmation message includes the program name, the sending company's identity, a 'Message and data rates may apply' disclosure, the message frequency (for example, 'up to 4 msgs/month'), opt-out instructions ('Reply STOP to cancel'), and a help contact ('Reply HELP for help'). Keep it short. The CTIA Messaging Principles and Best Practices set these standards, and carriers enforce them through their own audits.

Do I need opt-in for transactional texts like order confirmations?

For purely informational texts, such as shipping notifications, appointment reminders with no promotional content, or one-time passwords, the FCC requires only prior express consent, not prior express written consent. If a consumer gave you their number when placing an order, transactional follow-up on that order generally sits within that consent. Add any promotional element and you jump to the written consent requirement.

What does 'logically and topically associated' mean for SMS consent?

The FCC requires the messages you send to relate logically and topically to the context in which the consumer gave consent. Someone who opted in through your mortgage comparison tool can be texted about mortgage offers. You cannot use that same consent to text them about life insurance or auto warranties. The 2024 one-to-one consent order made this explicit: consent for one type of communication does not extend to unrelated offers.

Can I buy a list of phone numbers and start texting them for marketing?

No, unless each number on that list has documented prior express written consent naming your specific company as the intended sender. Under the FCC's 2024 one-to-one consent rule, bulk lists where consent was collected generically, or under another company's brand, do not satisfy the TCPA. Buying and texting such a list is one of the fastest ways to draw a class action complaint.

The FCC's December 2023 Report and Order (FCC 23-107) requires each seller to obtain its own specific consent from each consumer. A single opt-in form can no longer authorize multiple companies to text the same person. The consent has to name the exact seller, and later messages have to relate logically to the context of the opt-in. This effectively ended the multi-seller lead aggregation model for SMS.

Do nonprofit or political text messages need opt-in under FCC rules?

Nonprofit fundraising and political campaign texts still require prior express written consent under the TCPA if sent using an autodialer to wireless numbers. The FCC has not created a blanket political or nonprofit exemption for SMS. Some courts and FCC orders have addressed specific scenarios, but the safest position is to collect explicit opt-in consent before texting any cell number, whatever the message's purpose.

What is the difference between a long code and short code for SMS opt-in compliance?

From a consent-law standpoint, the type of number you send from does not change the opt-in requirements. Short codes (5 to 6 digit numbers) get used for high-volume campaigns and require carrier approval, which itself involves a review of opt-in language. 10-digit long codes and toll-free numbers require the same TCPA-compliant consent. The sending format affects carrier filtering and deliverability, but it does not lower the FCC's consent bar.

How do I re-opt-in existing contacts who consented under old rules?

If your existing consent records do not meet the one-to-one, named-sender standard from the 2024 FCC order, run a re-consent campaign before texting those contacts for marketing. Send a single message explaining the program and asking them to reply YES or click a link to confirm. Document the re-consent as rigorously as a fresh opt-in. Anyone who does not respond should come off your SMS marketing list.

Can I use a pre-checked box for SMS opt-in on my website?

No. A pre-checked box is not an affirmative act by the consumer, so it does not satisfy the FCC's prior express written consent requirement for marketing texts. The consumer has to actively check the box themselves. This principle appears in the FCC's rules at 47 C.F.R. § 64.1200 and has been reinforced in multiple court decisions interpreting the TCPA.

What happens if a phone number is reassigned to a new person after I collected consent?

Reassigned numbers are a real liability. The FCC established the Reassigned Numbers Database to let callers and texters check whether a number has been reassigned since consent was collected. Text a reassigned number and the new owner never consented, so they hold a TCPA claim against you. Best practice is to run your list against the database before campaigns and after any long gap in sending to that number.

Does the TCPA apply to texts sent from outside the United States?

Yes. The TCPA applies based on where the recipient's number is registered, not where the sender sits. A company texting U.S. wireless numbers from servers or offices in Canada, India, or anywhere else is subject to TCPA. The FCC and U.S. courts have jurisdiction over the harm to U.S. consumers, and a foreign sender location provides no shield.

Sources

  1. U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227 (Legal Information Institute, Cornell Law School): TCPA prohibits autodialed or prerecorded calls/texts to wireless numbers without prior express consent; provides $500-$1,500 per-violation damages.
  2. FCC, Report and Order FCC 23-107 (one-to-one consent rule, December 2023): FCC 23-107 requires one-to-one consent naming a specific seller; prohibits multi-seller consent forms; closes the lead generator loophole.
  3. FCC, 47 C.F.R. § 64.1200 (FCC implementing rules under TCPA, e-CFR): Written consent for marketing calls/texts must include disclosure that consent is not a condition of purchase; defines prior express written consent requirements.
  4. CTIA, Messaging Principles and Best Practices: CTIA standards require confirmation message after opt-in including program name, message frequency, opt-out and help instructions, and message-and-data-rates disclosure.
  5. Patten v. Vertical Fitness Group, 9th Circuit (TCPA statute of limitations and burden of proof precedent): TCPA has a four-year statute of limitations; written consent is an affirmative defense with burden on the defendant to prove.
  6. U.S. Congress, 47 U.S.C. § 503 (FCC forfeiture authority, Legal Information Institute, Cornell Law School): FCC forfeiture authority under 47 U.S.C. § 503(b) allows fines per violation up to $23,727, adjusted annually for inflation.
  7. California Attorney General, California Consumer Privacy Act (CCPA) overview: CCPA and CPRA impose data collection, use, and opt-out rights on personal data including phone numbers collected from California residents.
  8. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059, as amended 2023: Florida FTSA creates a state-law cause of action for autodialed texts to Florida numbers without consent; amended 2023 to narrow autodialer definition.
  9. FCC, Reassigned Numbers Database (consumer and industry information): FCC established the Reassigned Numbers Database to allow senders to check whether a number has been reassigned to a new subscriber before contacting it.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit