Last updated 2026-07-10

TL;DR
The TCPA is federal law with $500, $1,500 per-text penalties and a private right of action. CTIA guidelines are carrier-enforced industry rules with no right to sue, but carriers can block your traffic or kill your account. Both apply to outbound SMS at the same time. Ignore either one and you carry real risk, just through different doors.
What is the TCPA and how does it govern outbound text messages?
The TCPA is federal law that controls how you contact people by phone and text. It sits at 47 U.S.C. § 227, passed in 1991 to stop robocalls. The FCC extended it to text messages, and courts have held that SMS sent to mobile phones through an autodialer or prerecorded message triggers TCPA protections. [1]
The core rule for marketing texts is prior express written consent. That standard comes from the FCC's 2012 order, which tightened consent rules hard. A person has to agree in writing, with a clear disclosure that they're agreeing to autodialed marketing messages from your specific company. Oral agreement doesn't count for marketing. Neither does a checkbox buried in general terms.
The statute gives consumers the right to sue. Anyone who gets a non-compliant text can come after you for $500 per violation or actual damages, whichever is bigger. If a court finds the violation was willful or knowing, that jumps to $1,500 per text. [2] Class actions multiply that fast. The Cash App TCPA class action settlement and the Credit One TCPA settlement both hit eight figures because per-message liability stacks across millions of recipients.
The FCC enforces the TCPA through administrative action. Private lawsuits are the bigger practical threat. No government agency stands between you and a plaintiff's attorney.
What are CTIA guidelines and who enforces them?
CTIA is the trade group for wireless carriers, including AT&T, T-Mobile, Verizon, and the MVNO networks that ride on them. It publishes the Messaging Principles and Best Practices, which sets technical and content standards for commercial SMS and MMS traffic. [3] These aren't laws. They're the rules carriers agree to enforce.
Enforcement works nothing like the TCPA. CTIA has no regulatory authority and can't fine you. Carriers enforce CTIA standards through their aggregator and direct-connect contracts instead. Violate the guidelines and your aggregator can throttle, block, or terminate your campaigns. The carrier can block traffic at the network level. You don't get sued. You get cut off.
That's not a minor inconvenience. If a major carrier flags your short code or toll-free number as non-compliant, your messages stop reaching a large slice of U.S. mobile subscribers. An SMS channel can die overnight. The 10DLC (10-digit long code) registration system, introduced in 2021, made enforcement more systematic because brands now register their campaign use cases and carriers match live traffic against that data. [4]
So the TCPA is law backed by courts. CTIA guidelines are contract terms backed by carriers. Both have teeth, and they bite in different places.
Where do TCPA and CTIA rules overlap for outbound SMS?
The overlap is large and deliberate. CTIA built its messaging guidelines to line up with TCPA requirements so carriers could enforce compliant behavior at the network level. Alignment isn't identity, though. The two frameworks split in ways that matter.
| Requirement | TCPA | CTIA Guidelines |
|---|---|---|
| Prior express written consent for marketing | Required by statute [2] | Required; must include program description |
| Opt-out via STOP (and synonyms) | Required by FCC rules [1] | Required; carriers check for this |
| Opt-out timing | FCC guidance points to 10 business days | Functionally immediate; carriers watch response time |
| Message content disclosure (who is texting) | Required implicitly by consent framework | Explicitly required in first message |
| Time-of-day restrictions | 8am, 9pm applies to calls; SMS less clear | Not specified; carriers focus on content |
| 10DLC registration | Not required by statute | Required by carriers for A2P traffic |
| SHAFT content restrictions | Not in statute | Carriers prohibit sex, hate, alcohol, firearms, tobacco without age gates |
The consent requirements effectively merge. If you have valid TCPA prior express written consent, you've also cleared the CTIA consent bar, because CTIA mirrors the FCC standard. The gap runs one direction. CTIA piles on requirements the TCPA doesn't, like 10DLC registration and content filtering.
Here's where people trip. The TCPA's opt-out window follows FCC guidance and the Telemarketing Sales Rule at 16 C.F.R. Part 310, which points to roughly 10 business days for telemarketing. [12] CTIA expects opt-outs processed almost instantly, within minutes. Wait 10 days to honor a STOP request and you might survive a generous reading of federal rules, but the carrier reads it as a complaint signal and filters your traffic anyway. Honor STOP requests inside the same message session. Done.
What is 10DLC registration and is it required by law?
10DLC registration is not required by the TCPA or any federal statute. It's a carrier-mandated process for businesses sending application-to-person (A2P) SMS over 10-digit long code numbers. [4] Carriers built it in 2021 to fight spam and see who is using their networks for commercial messaging.
Why it matters despite not being law: send A2P marketing over an unregistered 10DLC number and major carriers filter or block it. Most of the time you won't get an error. Messages just quietly fail. The deliverability hit makes skipping registration commercially pointless, even though no court will ever fine you for it.
Registration runs in two layers. First you register your brand with The Campaign Registry (TCR), which checks your EIN and business identity. Then you register each campaign use case, describing what you'll send and confirming you have consent. Fees run roughly $4, $10 per brand registration plus $10, $15 per campaign per month depending on your aggregator, though these vary and aggregators set their own pass-through pricing.
Short codes (5- or 6-digit numbers) have their own approval track through the US Short Code Administration, separate from 10DLC and older. [5] Toll-free numbers used for A2P SMS need toll-free verification, a similar process carriers rolled out in 2023. Any number type you use for commercial SMS needs registration under the carrier framework, even though none of it appears in 47 U.S.C. § 227.
For teams building out text message marketing, 10DLC registration is step zero. Nothing compliant ships before it's done.
What are SHAFT restrictions and do they affect your TCPA compliance?
SHAFT is a CTIA acronym for content categories carriers restrict: Sex, Hate, Alcohol, Firearms, and Tobacco. Carriers can refuse to deliver messages in these categories unless you have the right controls, like age verification or program-specific carrier approval. [3]
SHAFT has no parallel in the TCPA. The statute doesn't tell you what content is allowed. It cares about consent, identification, and opt-out. You can have flawless TCPA compliance and still get blocked because your message promotes a licensed firearms retailer without carrier pre-approval.
This bites outbound sales teams in regulated industries. Sell alcohol, cannabis (which carriers treat even harder than alcohol), firearms, or certain financial products, and your campaign registration may get rejected or demand extra documentation. Some categories are flatly banned no matter what consent you hold. Cannabis is the clearest example: carrier policy tracks federal law, not the states that legalized it.
CTIA guidelines also restrict loan content beyond anything in the TCPA. Carriers have blocked or flagged short-term loan offers, payday lending, and debt collection messaging. A lot of that is because these categories throw off high complaint rates, which carriers read as a sign of likely non-compliance. High complaint rates trigger CTIA enforcement even when the messages carry valid TCPA consent.
Check CTIA content restrictions before you design your templates. Not after your campaign gets blocked.
What does valid TCPA consent look like for SMS specifically?
For marketing texts, the FCC requires prior express written consent. The 2012 order defined this as an agreement that "clearly authorizes the seller to deliver or cause to be delivered to the person... advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice," with disclosure that consent isn't a condition of purchase. [1]
Written consent for SMS doesn't mean an ink signature. A web form checkbox, a keyword opt-in by text, or a digital form with a clear TCPA disclosure all qualify if they capture the agreement. The disclosure has to name your company specifically, not a generic "the seller," and the language has to be conspicuous. Buried in a privacy policy doesn't work.
CTIA layers on more. The first message in any SMS program must include who is texting, what the program is, how often messages come (or that frequency varies), a message-and-data-rates disclosure, and instructions to opt out and get help. Skip those in your first message and carriers may tag your traffic as higher-risk.
Here's a landmine for sales teams. A lead-gen form where someone drops their number to grab content or get a quote does not, by itself, create TCPA consent for marketing texts. The form needs a separate, unchecked box with specific TCPA language. The FCC made this explicit, and courts have held sellers liable even when a third-party lead generator collected the consent. [1] You bought the lead, you own the risk if the paperwork is thin.
For operational texts like appointment reminders or order confirmations, the standard drops to prior express consent, a lower bar. But plenty of "sales" texts read as marketing no matter how you label them internally.
How do CTIA guidelines affect opt-out and STOP message handling?
Both frameworks make you honor opt-outs. The TCPA requires it within a reasonable time, and FCC guidance points to 10 business days, though some courts read it more strictly. [1] CTIA sets a functionally immediate standard because carriers monitor opt-out response time as a compliance signal.
CTIA says STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT must all trigger opt-out processing. Your platform has to catch every one, more than STOP. The guidelines also require a single confirmation message after opt-out, then silence. Sending even one more marketing message after a STOP request is a TCPA violation per text, and a carrier complaint signal on top of that.
Here's where it gets messy. Opt-outs are program-specific by default under CTIA rules, but TCPA liability is company-wide in a plaintiff's eyes. Say someone texts STOP to one campaign and you run three short codes for three programs. The CTIA rule technically covers the number they messaged. A plaintiff's attorney will argue the TCPA opt-out covers every commercial text from your company. Play it safe: treat any STOP as a company-wide opt-out from that number unless the person explicitly re-opts into a different program.
Managing do-not-contact lists alongside DNC scrubbing? The do not call list guide covers how the National DNC Registry intersects with your internal opt-out obligations.
Can carriers block your SMS traffic even if you're TCPA compliant?
Yes. This is the single most misunderstood point in the whole CTIA/TCPA relationship. TCPA compliance does not shield you from carrier filtering.
Carriers block algorithmically, based on complaint rates, content analysis, sending patterns, and registration data. If your complaint rate crosses certain thresholds (CTIA doesn't publish exact numbers, and carriers differ), traffic gets filtered. It happens even when every recipient gave valid prior express written consent, because a complaint from someone who says "I don't want this" counts against you no matter what your consent file says.
Carriers also weigh sending velocity, content, URL reputation, and whether your registered use case matches your actual traffic. Register a campaign for appointment reminders, then send promotional offers, and the mismatch triggers filtering. That's a CTIA violation, not a TCPA one, but the effect is identical. Your messages stop.
The FCC has grown more supportive of carrier blocking authority. Its 2022 order on robocall and robotext mitigation encouraged carriers to build reasonable analytics-based blocking. [7] The FCC hasn't moved to restrict carrier filtering of SMS, so that authority isn't going anywhere.
TCPA compliance is your floor, not your ceiling. Build your SMS program to satisfy both frameworks at once, because clearing only one still leaves you exposed.
What are the real financial risks if you violate TCPA versus CTIA rules?
TCPA violations are financially catastrophic at scale. Statutory damages run $500 per text for standard violations and $1,500 per text for willful ones. [2] Class actions are common because TCPA plaintiffs don't have to prove actual harm, only that they got the non-compliant text. A campaign that sends 100,000 texts without proper consent stares down $50 million in potential statutory damages at $500 apiece.
Settlements bear this out. The FCC and FTC have issued enforcement actions in the millions, and private class actions routinely settle in the seven- to eight-figure range. The Credit One TCPA settlement is one public example, and it's not an outlier.
CTIA violations don't spawn lawsuits. They spawn operational damage. Your short code gets suspended, your toll-free verification gets revoked, or your aggregator terminates your account. No fine. But if SMS drives revenue, losing it overnight is its own financial event. Rebuilding carrier trust after a suspension can take months, and some carriers keep internal blacklists of bad actors.
One data point worth holding onto: the FCC reported more than 18,000 consumer complaints about unwanted text messages in fiscal year 2022. [7] That volume drives both regulatory attention and carrier behavior. Both risks feed off the same consumer experience.
How should a small outbound team structure SMS compliance to satisfy both frameworks?
Start with consent. Get prior express written consent that names your company, describes the program, discloses message-and-data rates, includes a STOP instruction, and states that consent isn't required to buy. Capture the timestamp, IP address, and the exact disclosure text shown at the moment of opt-in. Store all of it. You'll need it if you get sued.
Register before you send. Finish 10DLC brand and campaign registration through your platform or aggregator before a single A2P message leaves a 10-digit number. Using a short code or toll-free number? Complete the verification for that number type. Carriers give no leeway here.
Build opt-out handling that answers every CTIA keyword immediately. Don't batch opt-outs overnight. Process them in the same session. Keep a company-wide suppression list and check it before every send. If someone opted out of any program, suppress them from all of them unless they explicitly re-opt in.
Scrub against the National DNC Registry if any text could read as telemarketing and you're relying on an established-business-relationship exemption (18 months from a purchase, 3 months from an inquiry). That's a TCPA requirement, and the guide on how to get the do not call list covers the access process.
Keep your complaint rate low. This is more a CTIA concern than a TCPA one, but a high complaint rate is also evidence of consent problems. Aim well below 0.1% of delivered messages. Carriers don't publish exact thresholds, so lower is always the right direction.
Review message content against SHAFT restrictions before launch, not after your aggregator rejects the registration. In a restricted vertical, get carrier approval up front. LeadCompliant's compliance kit includes consent language templates and a pre-send checklist covering both TCPA and CTIA, which beats drafting from a blank page.
What has the FCC said about CTIA guidelines and carrier enforcement of SMS rules?
The FCC has largely welcomed carrier-level enforcement as a supplement to its own authority. Its 2022 Report and Order on robocalls and robotexts directed voice providers to implement blocking and pushed parallel action on texts. [7] The FCC has also stated, again and again, that its TCPA rules set a floor, not a ceiling. Carriers and states can go stricter.
The 2012 order is the anchor for SMS consent. It extended prior express written consent to marketing texts, killed the established-business-relationship exemption for autodialed calls and texts, and required that consent not be a condition of purchase. [1] A verbatim line from the order: "Prior express written consent means an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages." [1]
More recently, the FCC's one-to-one consent rule, adopted in December 2023, would have required consent to be given to one seller at a time, ending the lead-gen habit of collecting a single consent for many sellers. [8] That rule ran into legal challenges and the implementation timeline moved. At time of publication, its status is uncertain, so check the FCC's site for updates rather than assuming it's live.
The FCC doesn't directly enforce CTIA guidelines. It has cited industry best practices in its orders and encouraged carriers to keep their own standards. So FCC policy and CTIA guidelines point the same direction even when neither cites the other.
Are there state laws that add more rules on top of TCPA and CTIA?
Yes, and this risk layer gets ignored too often. Several states passed their own telemarketing or privacy laws that touch outbound SMS in ways the TCPA doesn't.
Florida's Telephone Solicitation Act (FTSA), amended in 2021, created a private right of action for unwanted texts sent with automated systems, with statutory damages of $500 per call or text. [9] Florida doesn't require an ATDS as defined under federal law. Its standard is broader, so some SMS platforms that arguably aren't ATDSs under the TCPA after Facebook v. Duguid still trip FTSA liability.
California's CCPA and CPRA add consent and data-handling duties for personal data, including phone numbers. Process Californians' numbers and you carry disclosure and opt-out obligations that interact with, but sit apart from, TCPA consent.
Oklahoma, Washington, and other states have similar telemarketing statutes with their own private rights of action. The practical read: if you send nationally, assume your riskiest recipients live in the states with the broadest private rights of action, and build consent to that standard.
CTIA guidelines are national and don't vary by state. The TCPA preempts weaker state laws but explicitly lets states enact stronger consumer protections. So the CTIA/TCPA stack is your baseline, and state law stacks more on top.
What recent court cases clarify how TCPA applies to SMS outbound?
Facebook v. Duguid (2021) is the Supreme Court case that narrowed the definition of an autodialer. [10] The Court held a device must have the capacity to store or produce phone numbers using a random or sequential number generator to count as an ATDS. Many modern SMS platforms don't fit, because they send to lists, not randomly generated numbers. This cut TCPA exposure for some SMS programs. It's not a free pass.
State laws like Florida's FTSA fill the gap Duguid opened at the federal level. And the FCC is weighing a rulemaking that could widen the ATDS definition again. Courts in the Ninth Circuit and elsewhere keep finding liability for texts sent to reassigned numbers, where someone who gave consent no longer owns the line. That's a real operational risk at scale.
The reassigned-number problem has an FCC fix: the Reassigned Numbers Database, which carriers feed disconnected numbers into. [11] Checking it before sending is a TCPA risk-mitigation step, not a CTIA requirement, but it's worth doing for any list that isn't fresh.
Running cold calling alongside SMS? The ATDS question applies to voice calls too. Duguid covers both channels, but state law exposure differs between them.
Frequently asked questions
Does following CTIA guidelines mean I'm TCPA compliant?
Not automatically. CTIA guidelines overlap heavily with TCPA requirements, but they're separate frameworks. CTIA adds rules the TCPA doesn't have, like 10DLC registration and SHAFT content restrictions. The TCPA has specific consent rules and a private right of action that CTIA doesn't replicate. You have to satisfy both independently. Meeting one doesn't guarantee the other.
What happens if I skip 10DLC registration?
Major carriers will filter or block your A2P text traffic on unregistered 10-digit long code numbers. You often won't get a warning. Messages simply stop delivering reliably. Carriers introduced 10DLC enforcement in 2021, and it's now standard across AT&T, T-Mobile, and Verizon. 10DLC isn't a TCPA requirement, but skipping it makes commercial SMS effectively non-functional.
Can I use an existing email consent to send marketing texts?
No. TCPA prior express written consent for marketing texts must specifically authorize text messages from your company with a clear disclosure. A general email consent or a privacy policy acceptance doesn't meet the FCC's 2012 standard. The consent has to name your company, describe the messaging program, and include opt-out instructions. Get separate, specific mobile consent.
How quickly do I have to honor an opt-out text?
CTIA guidelines expect essentially immediate processing, meaning within the same message session. FCC TCPA guidance references 10 business days, but sending even one more marketing message after a STOP request is a distinct TCPA violation. Carrier algorithms also track how fast you process opt-outs and read slow responses as a complaint signal. In practice, process STOP requests within minutes.
Are there content restrictions in TCPA that I need to know about?
The TCPA itself focuses on consent, identification, and opt-out, not content. Content restrictions for SMS come mainly from CTIA guidelines and carriers. The SHAFT categories (Sex, Hate, Alcohol, Firearms, Tobacco) need carrier pre-approval or are prohibited. Cannabis content is blocked by most carriers regardless of state law. Deceptive content can also implicate FTC Act Section 5, separate from the TCPA.
Does the National DNC Registry apply to text messages?
The FCC's rules applying the National DNC Registry to telephone solicitations extend to texts, though the application is less litigated than for calls. The safer reading is yes. If you're sending marketing texts and a number is on the DNC Registry, you need an exemption like prior express consent to contact it. See the do not call list guide for how registry scrubbing works.
What is the difference between prior express consent and prior express written consent?
Prior express consent, the lower standard, applies to informational or operational texts like appointment reminders. Prior express written consent is required for marketing texts under the FCC's 2012 rules. Written consent must be a clear, unambiguous agreement that specifically authorizes marketing texts from your company and states that consent isn't required to make a purchase. Oral consent doesn't meet the written standard.
How does Facebook v. Duguid affect SMS marketing compliance?
The Supreme Court's 2021 Facebook v. Duguid decision narrowed the ATDS definition to devices that use random or sequential number generation. List-based SMS platforms that dial from a stored list may not qualify as ATDSs under federal TCPA. That cut some liability, but state laws like Florida's FTSA use broader standards, and CTIA guidelines apply regardless of ATDS status. Don't treat Duguid as a compliance off-ramp.
Can carriers permanently block my number from SMS marketing?
Yes. Carriers keep internal records of numbers and short codes with violation histories. A short code suspended for policy violations may not be reinstated. Toll-free verifications can be revoked. In severe cases, carriers can blacklist sending infrastructure tied to repeat violations. Rebuilding delivery access after a suspension can take months and may require provisioning new numbers.
Do I need separate consent for each SMS campaign I run?
Not necessarily separate consent per campaign, but your consent disclosure has to describe the program accurately. One clear disclosure covering multiple message types from your company can work. You run into trouble when you use consent captured for one program (say, a loan application) to send unrelated marketing (say, a referral offer). The consent has to match the use case.
What are the CTIA requirements for the first message in an SMS program?
CTIA guidelines require the first message after opt-in to include your company or program name, a description of what the program sends, the expected message frequency (or that it varies), a disclosure that message and data rates may apply, and instructions for opting out (STOP) and getting help (HELP). Missing these in the first message is a CTIA violation that can affect your campaign registration status.
Is cannabis SMS marketing legal under TCPA if I have consent?
TCPA consent is necessary but not enough for cannabis SMS. Carriers apply federal policy, not state law, and cannabis remains federally controlled. Most major U.S. carriers prohibit cannabis marketing messages regardless of consent or state legalization. Your campaign registration will get rejected and traffic will be filtered. This is a CTIA and carrier policy issue, not a TCPA question.
What records should I keep to defend against a TCPA SMS lawsuit?
Keep the exact consent disclosure text shown to the consumer, the timestamp and IP address of opt-in, confirmation of the opt-in action (checkbox click, keyword text received), the phone number tied to the consent, and any messages exchanged with that number. Retain opt-out records with timestamps too. Courts have found defendants liable when they couldn't produce consent records. Store records at least 4 years to cover the TCPA statute of limitations.
How do CTIA rules handle reassigned phone numbers?
CTIA guidelines don't address reassigned numbers specifically, but the TCPA creates liability for texting a number reassigned after consent was given. The FCC's Reassigned Numbers Database lets senders check whether a number has been reported as disconnected. Checking it before sending to aged lists is a recommended TCPA risk-reduction step, especially for lists more than a few months old.
Sources
- FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 (2012 Omnibus Order, FCC 12-21): FCC extended TCPA to text messages and established prior express written consent requirement for marketing texts in 2012, including seller responsibility for consent collected by lead generators
- U.S. Code, 47 U.S.C. § 227 – Telephone Consumer Protection Act: Statutory damages of $500 per violation, up to $1,500 for willful violations, with private right of action
- CTIA, Messaging Principles and Best Practices: CTIA Messaging Principles and Best Practices establish carrier-enforced rules for commercial SMS including opt-out, consent, and SHAFT content restrictions
- The Campaign Registry (TCR), 10DLC A2P messaging registration: 10DLC registration is a carrier-mandated program introduced in 2021 requiring brands to register for A2P long-code SMS traffic
- US Short Code Registry: Short codes for SMS marketing require registration through the US Short Code Registry, separate from 10DLC
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059, Florida Statutes: Florida's FTSA as amended in 2021 created a private right of action for automated marketing texts with $500 per-text damages under a broader ATDS definition than federal TCPA
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held in 2021 that ATDS requires capacity to use random or sequential number generation, narrowing the definition and reducing TCPA exposure for list-based SMS platforms
- FCC, Reassigned Numbers Database: FCC's Reassigned Numbers Database allows senders to check whether a number has been disconnected to mitigate TCPA liability from texting reassigned numbers
- FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): FTC Telemarketing Sales Rule governs opt-out timing and DNC requirements applicable alongside TCPA for telemarketing communications