Last updated 2026-07-11

TL;DR
Building an SMS compliance program means getting written prior express consent before texting, disclosing your program at the point of opt-in, honoring opt-outs immediately, and keeping a record of every consent event. TCPA violations cost $500 to $1,500 per message. A small team can build a solid program in a few weeks without a big budget.
What does an SMS compliance program actually cover?
An SMS compliance program is the full set of policies, technical controls, and records that give every text your business sends a legal basis to exist. It's more than a checkbox on a founder's to-do list. It's the thing that keeps a seven-figure class action off your desk.
The legal backbone is the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1]. Congress passed it in 1991, and the FCC has tightened it ever since. The statute restricts autodialed or prerecorded messages to cell phones without prior express written consent. "Prior" means before the first message. "Written" can be electronic, but it has to be an affirmative act by the consumer.
A real program covers five layers:
1. Consent acquisition and documentation 2. Required disclosures at opt-in 3. Opt-out processing and suppression 4. Do-not-contact list scrubbing 5. Ongoing audits and staff training
Every one of these layers has a failure mode that produces liability. Most small teams get burned on layer one (they never had real written consent) or layer three (someone unsubscribed and still got a message three days later). Build all five or the rest don't matter.
For background on the federal law underpinning all of this, see our guide to the tcpa.
What is the TCPA's consent requirement for text messages?
The TCPA requires "prior express written consent" for autodialed or prerecorded telemarketing texts to cell phones [1]. That phrase has a defined legal meaning in the FCC's rules at 47 C.F.R. § 64.1200(f)(9): a written agreement, including an electronic one, that clearly authorizes the seller to send marketing texts, names the phone number being consented to, and is signed by the person giving consent [11].
Consent can't be a condition of buying anything. You cannot make someone check a box to complete a purchase and have that box double as TCPA consent. The consent has to be separate and voluntary.
What qualifies as written consent in practice:
- A web form checkbox (unchecked by default) with a disclosure statement right next to it
- A keyword opt-in where the consumer texts a word to your number
- A signed paper form
- A recorded verbal agreement captured in writing immediately after
What does NOT qualify:
- A pre-checked box
- Consent buried in Terms of Service the user never saw
- An oral agreement with no written follow-up
- Consent obtained by a third party that never named your specific company
That last point is getting more attention. The FCC's one-to-one consent rule requires consent for each individual seller, not a broad category of partners or an entire lead generation network [3]. If you buy leads from a list broker, the consent on file almost certainly does not cover you unless your company was named at the point of capture.
For text message marketing to be legal, the consent chain has to trace back to one identified sender: you.
What disclosures do you need at the opt-in point?
FCC rules and CTIA guidelines both require specific disclosures at the moment someone opts in. These are the things you have to say before you earn permission to say anything else.
Required disclosures at opt-in [4][11]:
- The identity of your company (or the specific brand sending messages)
- A description of the message program (e.g., "promotional offers and updates")
- The expected frequency (e.g., "up to 4 messages per month")
- That message and data rates may apply
- How to opt out (e.g., "Reply STOP to cancel")
- How to get help (e.g., "Reply HELP for help")
- A link to your privacy policy and terms of service
The CTIA Messaging Principles and Best Practices document spells out format and placement [4]. The disclosures have to be readable. Font size matters. Gray them out at 8pt below the fold and you have a problem.
A typical web opt-in disclosure reads like this:
By checking this box, you agree to receive recurring promotional SMS messages from [Company Name] at the number provided. Message frequency varies, up to 6/month. Message and data rates may apply. Reply STOP to unsubscribe. Reply HELP for help. View our Privacy Policy and Terms.
That language belongs immediately next to the phone number field and the consent checkbox. Not on a separate page. Not in a modal most people close. Right there.
For keyword opt-ins (texting a word to a short code), you have to send a confirmation message carrying most of the same disclosures. The confirmation text is your documented proof of consent. Save it.
How do you document and store consent records?
Consent records are your entire defense in a TCPA lawsuit. Without them, there is no defense. A plaintiff's attorney files a complaint, your carrier shows you sent 40,000 texts, and if you can't produce a consent record for each recipient, you lose on a per-message basis at $500 to $1,500 per text [1].
What a consent record needs to contain:
| Field | Why it matters |
|---|---|
| Phone number | Ties consent to the specific recipient |
| Date and time of consent | Proves consent was "prior" to the first message |
| IP address (for web opt-ins) | Proves the consent was real and not fabricated |
| Form URL or source | Shows exactly what disclosure language was presented |
| Opt-in method | Web form, keyword, paper, verbal follow-up |
| Consent language shown | The exact text the person agreed to |
Store these records in a database you control, separate from your SMS platform. Platforms get acquired, change terms, or lose data. Export consent records on a schedule and keep them at least four years. The TCPA's four-year statute of limitations under 28 U.S.C. § 1658 means a lawsuit can arrive years after the messages went out [1].
For keyword opt-ins, your SMS platform logs the inbound message. Pull that log into your CRM or a separate compliance database on a regular schedule. Don't rely on a single system.
Buying leads? Demand that the data provider hand over the consent record, including the form URL, timestamp, and IP address. Then run a sample of those URLs. If the page doesn't exist or doesn't carry proper disclosures, you're holding worthless consent. The FCC's one-to-one consent rules make this even more important [3].
How do you handle opt-outs and do-not-contact lists?
The TCPA requires you to honor opt-out requests, and the FCC has been clear that consumers can opt out at any time. Your platform should process STOP replies automatically, but the law doesn't care if your platform had a glitch. The liability is yours.
Standard opt-out keywords you must honor: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT. The CTIA requires that all compliant SMS programs recognize these words [4]. You should also honor any plain-language request to stop, even when it doesn't use a keyword.
After an opt-out, you may send one final confirmation message. That's it. The confirmation can read something like "You've been unsubscribed from [Company] texts. No more messages will be sent." Anything beyond that confirmation is a violation.
Your internal do-not-contact list has to sync with your sending platform before every campaign, not once a month. Someone opts out Tuesday, you send Thursday without checking suppression, and you have a problem. Automate the sync. Don't leave it a manual step.
You also need to scrub against the National Do Not Call Registry for any text that could count as a solicitation. The registry was built for phone calls, but the FCC applies DNC protections to text messages sent to residential lines [5]. For more on how the registry works and how to access it, see our piece on the do not call list.
The mobile phone do not call list question comes up a lot. Mobile numbers fall under both TCPA and DNC rules. Registering a cell number on the DNC list doesn't erase the need for TCPA consent, but you still have to scrub it.
What are the TCPA penalties for SMS violations, and how bad do they get?
Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation for negligent violations and up to $1,500 per willful or knowing violation [1]. Each individual text is a separate violation. Send one campaign to 50,000 people without proper consent and you're looking at $25 million in statutory damages at the low end.
Those aren't hypothetical numbers. The Cash App TCPA class action settled for $8.5 million (see our coverage of the cash app tcpa class action settlement). Credit One Bank settled a TCPA case for $13 million (see the credit one tcpa settlement breakdown). These are companies with legal teams. A small business gets the same exposure with none of the cushion.
The TCPA is a strict liability statute in most circuits. You don't have to intend to violate it. A technical failure in your opt-out system, a vendor that imports a bad list, a platform bug that fires a duplicate campaign, any of these can create real liability even when you were acting in good faith.
The FCC can also issue forfeitures on its own, apart from private lawsuits. In 2021, the agency issued a $225 million forfeiture against health insurance lead generators for illegal robocalls, the largest robocall fine in its history [6]. The enforcement climate for texts is moving the same direction.
One cheap way to cut exposure: run your contact lists through a consent and DNC checker before every campaign. LeadCompliant offers free phone number checkers that flag DNC-registered numbers before you send. It takes about two minutes and catches the most obvious violations.
How do state laws change what you need to do?
Federal TCPA sets the floor. States can and do go higher.
California's Consumer Privacy Act (CCPA) and its amendment, the CPRA, stack data rights obligations on top of TCPA consent rules [7]. If you text California residents, they can request deletion of their data, opt out of the sale of their data, and expect a privacy policy that names your SMS program.
Florida's Telephone Solicitation Act (FTSA), effective in 2021, is stricter than TCPA in some respects. It requires prior express written consent for any automated text to a Florida area code, limits calling hours, and creates a private right of action with $500 per call in damages [8]. Florida has drawn a wave of FTSA litigation aimed at SMS programs.
Oklahoma, Washington, and several other states run their own telemarketing statutes that add requirements. The general principle: if your program reaches residents of states with stricter laws, build to those higher standards.
The practical move for a small team is to build to the strictest applicable standard and apply it to everyone. Segmenting consent flows by state is possible, but it adds complexity and failure points. One strong national standard beats a patchwork every time.
For a deeper look at how state laws interact with federal rules, see our state laws hub.
How do you set up your SMS platform for compliance?
Your SMS platform is part of your compliance infrastructure, but it's not a compliance program by itself. Twilio, EZTexting, SimpleTexting, and the rest give you tools. What you do with them is your responsibility.
Platform configuration checklist:
- Enable automatic STOP/opt-out processing and verify it works with a test message
- Connect your suppression list to the platform via API or daily import
- Turn on logging for all inbound and outbound messages
- Set rate limiting so you don't send in bulk during restricted hours (8 AM to 9 PM in the recipient's local time zone, per FCC rules [11])
- Configure your sender ID to be recognizable as your brand
- Require two-factor confirmation of any manual list upload
Sending times matter more than most teams realize. The TCPA's quiet hours run on the recipient's local clock, not yours. Text someone in Los Angeles from New York and 8 PM Eastern is 5 PM Pacific, which is fine. The cutoff is 9 PM in the recipient's local time. Get that math wrong at scale and you have a campaign full of violations.
Short codes, long codes, and toll-free numbers all carry different compliance rules. Short codes have higher throughput and clearer carrier filtering. 10DLC (10-digit long codes) require registration through The Campaign Registry, which adds a step but improves deliverability and carrier trust [9]. Toll-free numbers require verification. Every format has specific CTIA and carrier rules that govern acceptable use. Don't pick one on cost alone.
What does 10DLC registration require and why does it matter?
10DLC stands for 10-digit long code. Since 2021, US carriers have required businesses that send texts through 10-digit phone numbers to register their brand and campaigns with The Campaign Registry (TCR) [9]. Skip registration and your messages get filtered or blocked.
Registration has two parts. First, brand registration: you submit your company's legal name, EIN, address, and website. Second, campaign registration: you describe the specific use case (marketing, customer service, 2FA), provide sample message content, and confirm your opt-in procedures.
From a compliance angle, 10DLC registration is useful because it forces you to document your opt-in process in writing at the carrier level. If you can't describe a clear, legal opt-in flow during registration, that's a signal your program has a consent problem before a single message goes out.
Costs are low. Brand registration is a one-time fee (usually $4 to $5), and campaign registration runs $10 to $15 per campaign per month depending on use case [9]. Carriers also charge throughput fees. These aren't TCPA compliance costs exactly, but they run parallel to the compliance work.
Short code programs need a separate application filed with carriers through a CSP (Campaign Service Provider). That process takes longer (typically 8 to 12 weeks) and costs more, but short codes support much higher message volume.
Either way, registration is table stakes. An unregistered 10DLC number in 2025 will have most of its messages filtered before they ever reach the recipient.
How do you audit an SMS program that's already running?
Inherited an SMS program, or built one without formal controls? The audit is more urgent than building from scratch, because the exposure already exists.
Start with a consent audit. Pull every number in your active sending list and check whether you hold a consent record for it. Not a note that someone was in your CRM. A record with timestamp, source, and the specific consent language they agreed to. Numbers without complete records get suppressed immediately until you can verify consent. This is uncomfortable when your list is large. The alternative is worse.
Next, check your opt-out suppression list. Are there numbers in your active list that sent STOP at any point? A basic query of your SMS platform logs shows inbound messages. Cross-reference that against your send list. Any overlap is a live violation.
Then audit your disclosures. Pull up every opt-in form or flow you have. Does each one carry all required disclosures? Is the checkbox unchecked by default? Is the consent language clearly visible? Take timestamped screenshots and save them. They become evidence in your favor if you're ever challenged.
Finally, audit your outbound content. Does every message identify your company? Does every message include opt-out instructions? FCC rules require every marketing text to let the consumer opt out [11]. Some programs put STOP instructions only in the first message and drop them after. That's a gap.
Document the audit in writing: what you found, what you fixed, and when. An audit trail showing good-faith remediation can matter in litigation even when violations existed.
What ongoing processes keep an SMS compliance program healthy?
A compliance program is not a one-time setup. It degrades without maintenance.
The minimum ongoing process stack for a small team:
- Pre-campaign suppression scrub: before every send, pull the current opt-out list from your platform plus any manually logged opt-outs and strip them from the send file. Five minutes if your systems are connected.
- DNC scrub: register with the FTC's National Do Not Call Registry and scrub your list every 31 days at minimum if you're a high-volume sender, or quarterly if you're smaller [5]. See our guide on how do i get the do not call list for the registration process.
- Annual consent review: once a year, check how old your consent records are. CTIA best practices suggest consent more than 18 to 24 months old for a contact you haven't recently messaged may be stale. Re-permission campaigns are worth running on dormant lists.
- Content review: any time you launch a new campaign or template, have someone outside marketing read it and confirm it carries the required disclosures and doesn't promise something your program can't deliver.
- Staff training: anyone who can upload a list, trigger a campaign, or manage contact records needs the basics of what's allowed. One untrained employee uploading a purchased list can undo a year of careful compliance work.
LeadCompliant's free compliance kit includes a consent audit checklist and a suppression workflow template that small teams can adapt without building from scratch.
None of this is complicated. It's mostly discipline and documentation.
What should be in your SMS compliance policy document?
Every SMS program should have a written internal policy. Not for the FCC. For you. When there's employee turnover, a vendor change, or an audit, the policy keeps your program consistent.
A basic SMS compliance policy document should cover:
- Who is authorized to create and send SMS campaigns
- What consent types are acceptable (and which are not)
- Required disclosures for every opt-in flow
- How opt-out requests are processed and by whom
- How long consent records are stored and where
- How the suppression list is maintained and synced
- Sending hours restrictions
- The process for reviewing new message templates before they go out
- What happens when a consumer complains or sends a legal demand letter
The policy doesn't need to be long. Two to four pages is enough for most small teams. The point is that it exists, it's been communicated to everyone who touches the SMS program, and it gets updated when regulations or processes change.
Keep a version history. If a lawsuit arrives claiming violations from 18 months ago, you want to show what your policy was then and demonstrate it was reasonable.
This is the unglamorous documentation work most small teams skip because there's always a more pressing campaign to run. But a written policy, followed consistently, is one of the most credible things you can put in front of a plaintiff's attorney or an FCC investigator.
Frequently asked questions
Do I need consent to send transactional texts, or just marketing texts?
TCPA's written consent requirement applies to marketing and promotional texts. Purely transactional messages, like appointment reminders or order confirmations, need only "prior express consent" (not the more demanding written standard) if they carry no promotional content. The moment a transactional message includes an offer, a discount, or a push to buy, it becomes marketing and the higher written consent standard applies. Keep transactional and promotional messages separate.
Can I text people who gave me their number on a paper form at an event?
Yes, if the paper form carried proper TCPA disclosures and the person signed it. The form has to identify your company, describe the message program, state frequency, disclose that message and data rates may apply, and explain how to opt out. Without those disclosures, the signature isn't valid prior express written consent under 47 C.F.R. § 64.1200. Scan and store every signed form with the date and location of the event.
How long do I have to honor an opt-out request?
The FCC's rules require opt-out requests be honored promptly. The FTC's DNC rule allows up to 31 days for the National DNC Registry, but for SMS the TCPA expectation is immediate processing. CTIA guidelines say opt-outs should be processed before the next message goes out. In practice, your platform should handle STOP replies in real time. Any delay creates liability, and "our platform was slow" is not a legal defense.
What is the one-to-one consent rule and does it affect my SMS program?
The FCC's one-to-one consent rule requires TCPA consent for each individual seller specifically, not for a broad category of companies or a lead generation network. If you buy leads where consumers consented to hear from "marketing partners," that consent no longer covers you under the rule. Each consumer has to have agreed to hear from your company by name [3].
What counts as an autodialer under TCPA for SMS purposes?
After the Supreme Court's 2021 decision in Facebook v. Duguid, an autodialer is a system that uses a random or sequential number generator to store or dial numbers. A system that simply dials from a stored list without random or sequential generation may not qualify. This remains litigated at the circuit level, and many SMS platforms use functionality that could still qualify. Ask counsel about your specific platform before assuming you sit outside TCPA's autodialer definition [10].
How do I handle consent when I acquire another company's customer list?
Inherited lists are high-risk. Consent obtained by another company generally covers that company, not you, especially under the FCC's one-to-one consent rule. Before texting any acquired list, review the original opt-in documentation to confirm your company or brand was named, the disclosures were adequate, and the records are complete. Suppress any numbers without clear, documented consent. A re-permission campaign via email (if you have emails) is often the safest approach.
Do quiet hours rules apply to all time zones or just mine?
TCPA's quiet hours (before 8 AM and after 9 PM) apply to the recipient's local time zone, not the sender's. If your platform doesn't apply time zone logic automatically based on area code or stored location data, build that check into your campaign setup by hand. Sending at 9 PM Eastern that hits West Coast numbers at 6 PM Pacific is fine. Sending at 10 PM Eastern that hits East Coast numbers at 10 PM Eastern is a violation [11].
Are there rules about what content I can include in a compliant SMS?
Yes. Every marketing text has to identify your company, include opt-out instructions (STOP to unsubscribe is standard), and avoid deceptive content under FTC rules. You can't promise a prize that doesn't exist, misrepresent what you're selling, or hide who the message is from. CTIA guidelines also ban certain content categories (hate speech, illegal content, phishing) that get your short code or 10DLC campaign terminated by carriers regardless of consent [4].
What records do I need to keep, and for how long?
Keep consent records at least four years to match the TCPA statute of limitations under 28 U.S.C. § 1658 [1]. Records should include the phone number, date and time of consent, opt-in method, IP address for web opt-ins, and the exact disclosure language shown. Keep logs of outbound messages sent and inbound opt-out requests too. Store all of it independently of your SMS platform in case you switch vendors or the platform loses data.
Does the Do Not Call Registry apply to text messages?
The FCC has held that text messages to residential subscribers fall under DNC protections, and mobile numbers can be registered on the National DNC Registry. Scrubbing your list against the registry does not replace TCPA consent requirements. Both apply independently. If a number is on the DNC list and you don't have an established business relationship or consent exception, don't text it. Register for registry access at donotcall.gov [5].
What is the risk of using a lead vendor for SMS outreach?
Significant. Many lead vendors sell lists with consent that's fabricated, expired, or captured through disclosure language that doesn't meet TCPA standards. Under the FCC's one-to-one consent rule, that consent almost certainly doesn't cover you specifically. Before using any vendor list for SMS, audit a sample of their consent records, confirm your company name appeared on the opt-in form, and get a written representation about their consent practices. None of that fully protects you, but it shows good faith.
Can I remarket via SMS to someone who bought from me years ago?
The established business relationship (EBR) defense is weaker for SMS than for voice calls, and it doesn't erase the written consent requirement for marketing texts under post-2012 FCC rules. An existing customer relationship may support a transactional or relationship message, but a promotional text to a past customer still needs prior express written consent under 47 C.F.R. § 64.1200(a). The longer the gap since their last interaction, the harder any implied consent argument gets.
What should I do when I receive a demand letter or lawsuit threat related to SMS?
Stop sending to the number named in the demand immediately. Pull the consent record for that number. Don't delete anything. Engage a TCPA defense attorney before you respond. If you have a complete consent record with the right documentation, you have a strong defense. If you don't, your attorney needs to know that early. Many TCPA demand letters come from serial plaintiffs or their attorneys chasing quick settlements. How you respond in the first 48 hours shapes the whole case.
How much does it cost to build a basic SMS compliance program?
The core costs: 10DLC brand registration (one-time, roughly $4 to $5), campaign registration (roughly $10 to $15 per campaign per month), a consent management system or CRM add-on (free to a few hundred dollars per month depending on volume), and DNC registry access (free for small scrubs via donotcall.gov, or commercial scrubbing services starting around $25 to $50 per month for automated checks). Legal review of your consent forms and policy is worth the money and typically runs $500 to $2,000 from a TCPA-focused attorney [9].
Sources
- U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act (via Cornell Legal Information Institute): TCPA statutory damages are $500 per violation for negligent violations and up to $1,500 per willful or knowing violation; each text message is a separate violation
- Federal Communications Commission, Report and Order on lead generation and one-to-one consent, CG Docket No. 21-402: FCC one-to-one consent rule requires TCPA consent to name each specific seller rather than a category of marketing partners
- FTC, National Do Not Call Registry: Businesses must scrub their lists against the National DNC Registry; the FCC applies DNC protections to text messages sent to residential lines including mobile numbers
- California Attorney General, California Consumer Privacy Act (CCPA): California CCPA and CPRA add data rights obligations including deletion rights and opt-out of sale that apply to SMS program data for California residents
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA effective 2021 requires prior express written consent for automated texts to Florida area codes and creates a private right of action with $500 per violation
- The Campaign Registry, 10DLC Registration Requirements: 10DLC brand registration costs approximately $4 to $5 one-time and campaign registration costs $10 to $15 per campaign per month; registration required since 2021 for 10-digit long code SMS
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held in 2021 that an autodialer must use a random or sequential number generator to store or produce numbers; a system that dials from a stored list without that function may not qualify
- FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the TCPA (via eCFR): Prior express written consent is defined at 47 C.F.R. § 64.1200(f)(9) and requires a written agreement including the phone number and signature authorizing marketing texts; sending is restricted to 8 AM to 9 PM in the recipient's local time