How to send order confirmation texts without TCPA risk

Order confirmation texts can be TCPA-exempt, but only if you meet 3 specific conditions. Learn exactly what the law requires and where teams go wrong.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-11

Shipping box and mobile phone on a kitchen counter awaiting an order confirmation text
Shipping box and mobile phone on a kitchen counter awaiting an order confirmation text

TL;DR

Order confirmation texts sent to complete a transaction generally fall outside TCPA's marketing restrictions under the "informational" exception. You still face liability if the message slips in promotional content, if you dialed with an ATDS, or if the customer never gave you their mobile number. Follow four concrete rules and you're mostly safe.

Does the TCPA apply to order confirmation texts at all?

Yes, but not as aggressively as it applies to marketing texts. The Telephone Consumer Protection Act (47 U.S.C. § 227) restricts any person from using an automatic telephone dialing system (ATDS) or prerecorded voice to call or text a mobile number without prior express consent. That applies whether you're selling something or just confirming an order.

The relief comes from the FCC's implementing rules, specifically 47 C.F.R. § 64.1200. Those rules treat messages that are "informational" in nature, and carry no unsolicited advertisement, more leniently than marketing. Shipping confirmations, order receipts, appointment reminders, and account alerts all qualify as informational, provided they meet the conditions the FCC spelled out in orders like the 2015 Omnibus TCPA Order (FCC 15-72). [1]

So the short answer is this. You still need consent, but the standard is lower for transactional messages than for marketing. Prior express consent (not prior express written consent) is enough. And if your customer voluntarily gave you their mobile number during checkout, the FCC treats that as consent for non-marketing follow-up tied to the transaction. [2]

The catch is that "informational" is not a magic word. Courts look at whether the primary purpose of a message is transactional or promotional. Sneak one discount code into your shipping confirmation and a plaintiff's attorney will argue the whole message is an advertisement. That argument has won.

What is the TCPA's informational message exemption and who qualifies?

The exemption is a lighter consent standard for non-marketing texts tied to a real transaction. It covers messages like shipping confirmations and order status updates, and it requires an existing customer relationship, transaction-only content, no promotion, and a working opt-out. Miss any one of those and you lose the protection.

The FCC codified the category in its 2012 and 2015 TCPA orders. [1] The 2015 Omnibus Order listed the message types that qualify, and order confirmations are on that list. The Commission said these messages are in the interest of the called party, which is why they get a lighter consent requirement.

To qualify, your message must check all four boxes:

1. The call or text comes from a company that has an established relationship with the recipient, meaning the customer started a transaction with you. 2. The message relates directly and solely to that transaction (shipping update, confirmation number, cancellation notice). 3. It carries no marketing or promotional content. 4. It includes a simple opt-out mechanism (STOP, for example).

The FCC's 2015 order (FCC 15-72, released July 10, 2015) named "package delivery notifications" and "order status updates" among the informational messages that qualify. [1] That's your anchor.

One thing the exemption does not protect: blasting confirmations with an ATDS to a list you scraped or bought, rather than responding to a specific customer action. Do that and you're in full TCPA territory no matter what the message says. The exemption needs a real customer relationship tied to the exact message you send. No fishing.

For informational texts, prior express consent means the customer voluntarily gave you their mobile number in a context where they could reasonably expect texts about the transaction. [2] No special box. No signature. Entering their number at checkout and completing a purchase is generally enough.

The FCC's 2012 TCPA Order (FCC 12-21) set out the consent hierarchy:

  • Prior express written consent: required for marketing and telemarketing texts. Needs a clear disclosure, an affirmative action like a check box, and the consumer's signature.
  • Prior express consent: enough for transactional and informational texts. Handing over a phone number in the context of the transaction generally satisfies it.

For text message marketing that carries any promotional element, the bar jumps to prior express written consent. The minute your order confirmation turns into a marketing vehicle, you need a written consent record.

So build your checkout to show a short disclosure near the phone number field. Something like: "We'll use your mobile number to send you updates about your order." That line ties the consent to a specific purpose. Without it, a customer can argue they expected email updates, not texts. Courts have been inconsistent here, but the disclosure costs you nothing and closes the gap.

Store the disclosure text, the timestamp, the IP address, and the phone number submitted. That's your consent record. If a TCPA lawsuit lands, that's what your lawyer reaches for first.

TCPA statutory damages at a glance Per-text penalty amounts under 47 U.S.C. § 227(b)(3) $500 Standard TCPA violation (per text) $1,500 Willful TCPA violation (per text) $0 Aggregate cap Source: U.S. Code, 47 U.S.C. § 227(b)(3)

What can go wrong even with a "transactional" order confirmation text?

This is where small teams get hurt. They assume the message is transactional, so they skip the compliance work. Four failure points cause most of the damage.

Promotional content mixed in. Courts apply the "primary purpose" test. If your shipping confirmation also says "Use code SHIP10 for 10% off your next order," a court can classify the entire message as a commercial solicitation. In Chesbro v. Best Buy Stores, 705 F.3d 913 (9th Cir. 2012), the Ninth Circuit found that calls tying a rewards program to a purchase crossed into marketing, even though they looked informational. [3] That case gets cited constantly. Keep offers out of confirmation texts.

Wrong phone number type. If a customer mistypes a landline and your SMS generates an automated voice read-out to that line, you have a TCPA violation regardless of content. Landline owners can collect $500 per call, up to $1,500 if the court finds willfulness. Run phone number validation before sending.

Using an ATDS on numbers you didn't collect directly. If your SMS platform can generate or store numbers and dial them sequentially, you might be using an ATDS under the FCC's interpretation even without meaning to. The Supreme Court in Facebook v. Duguid, 592 U.S. 395 (2021), narrowed the ATDS definition to systems that use a random or sequential number generator, which helps. Ambiguity still remains. [4]

No opt-out path. Even informational texts need an opt-out under 47 C.F.R. § 64.1200. One line at the bottom: "Reply STOP to unsubscribe." If someone replies STOP and you text again, that's a separate violation.

How does Facebook v. Duguid change the rules for confirmation texts?

Facebook v. Duguid (2021) is the most important TCPA ruling in years for anyone sending automated texts. [4] The Supreme Court held, unanimously, that an ATDS must use a random or sequential number generator to store or produce phone numbers to dial. The opinion said a device must "have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator." Dialing from a stored list, with no such generation, does not make a system an ATDS.

For order confirmation texts, that matters a lot. Most modern SMS platforms (Twilio, AWS SNS, and the like) send to a specific number tied to a specific customer record. They pull from a list, not a number generator. After Duguid, those platforms are far less likely to count as an ATDS, which cuts your federal exposure.

Duguid did not end TCPA liability for transactional texts. Three risks remain:

1. State mini-TCPA laws (California, Florida, Oklahoma, and others) carry their own ATDS definitions, some broader than the federal post-Duguid standard. [5] 2. If your platform has any random-dial or sequential-dial capability, even unused, some plaintiffs' attorneys will argue you're using an ATDS. 3. The FCC has signaled it may issue new rules reading ATDS more broadly. Watch for guidance.

The practical upshot: use a reputable SMS platform that sends only to customer-submitted numbers, document your technology stack, and keep Duguid in your back pocket. It's a real defense, not a guarantee.

What are the TCPA penalties if an order confirmation text goes wrong?

Statutory damages under 47 U.S.C. § 227(b)(3) run $500 per violation, which means $500 per text sent to a number without valid consent. If a court finds the violation was willful, that triples to $1,500 per text. [6] There is no cap on aggregate damages. That's why TCPA cases become class actions.

A single batch of 10,000 order confirmation texts to a list with non-consenting numbers could generate $5 million in statutory exposure. Settlements often land lower, but plaintiff's attorneys know the math and they lean on it in negotiations.

Real cases show the scale. The cash app tcpa class action settlement shows what happens when a company's texting practices draw class scrutiny. The credit one tcpa settlement resolved at amounts that reflect how seriously courts treat text violations when consent records are thin.

For a small outbound team, the lesson is not that you'll definitely get sued. The lesson is that the downside is big enough that a few hours of setup pays for itself many times over. Document consent, scrub your lists, and keep promotions out of transactional messages.

Do you need to check the Do Not Call registry before sending order confirmation texts?

No, not for a pure transactional message. The National Do Not Call Registry, run by the FTC under 16 C.F.R. § 310, covers telephone solicitations. [7] If your order confirmation text carries no marketing and goes out solely to complete or update a transaction, the DNC registry does not apply.

If your organization also sends marketing texts, the DNC rules matter for those campaigns, and you'd scrub marketing lists against the registry. For pure transactional messages like "Your order #12345 shipped," no DNC scrub is legally required.

Still, learning the do not call list rules helps your broader program, because the line between transactional and marketing blurs fast. Add a promotional element to your confirmations and you've turned them into solicitations. Now DNC rules apply. Keep the two message types cleanly separated in your platform so a marketing text never leaks out of your transactional flow.

State do-not-call rules vary, and some are stricter than the federal version. California, for one, layers its own consumer privacy rules on top. If you operate nationally, check the rules for your top markets. [5]

What should an order confirmation text actually say to stay compliant?

Content compliance comes down to two things. What the message says, and what it does not say.

A compliant order confirmation text contains:

  • Your company name or recognizable short code
  • The specific transaction detail (order number, shipment tracking, delivery estimate)
  • A single-sentence opt-out instruction ("Reply STOP to stop these messages")
  • Nothing else

A non-compliant one also contains:

  • Discount codes for future purchases
  • Product recommendations ("You might also like...")
  • Referral program mentions
  • Survey links disguised as service (if the results feed marketing)
  • Upsell prompts

Here's a compliant example: "Your order #98234 from Acme Co. has shipped. Expected delivery: July 14. Track at [link]. Reply STOP to unsubscribe."

Here's a non-compliant one: "Your order #98234 shipped! Delivery July 14. Track at [link]. PS: Use code THANKYOU for 15% off your next order. Reply STOP to unsubscribe."

The second message has crossed into marketing. The opt-out is there, but the discount code makes it a commercial solicitation under the FCC's primary purpose test.

Keep your transactional template locked in your platform. Set a policy that no marketing team member can edit it without a compliance review. That one step prevents most accidental violations.

A consent record that holds up has four elements: the disclosure shown to the customer, a timestamp, an identifier (IP address, session ID, or cookie), and the phone number submitted. Capture all four at the moment of submission and store them together.

At checkout, the disclosure should sit near the phone number field, not buried in terms of service. Courts have found buried consent unpersuasive. In Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017), the court found valid consent where the consumer provided their number in a relevant context, but stressed the consumer needed to know texts might follow. [8] Visibility matters.

For most e-commerce platforms, capturing the disclosure text takes a small engineering step: log the exact string shown to the user at the time of submission. If you update your disclosure, old records should reference the old text, new ones the new text. That version control is what lets you prove exactly what a customer agreed to.

Store consent records for at least four years. The TCPA statute of limitations is four years under 28 U.S.C. § 1658, and some state laws stretch it further. Delete records at two years and you can't defend a claim filed in year three.

LeadCompliant's free compliance kit includes a consent record template and a phone number validation checker you can run before your first send. Use it to audit your checkout flow before you assume you're covered.

One more thing. If a customer texts STOP and then re-engages (makes another purchase), decide whether that new transaction resets consent. The FCC's position is that a new transaction with a fresh phone number submission can count as new consent, but document it. Don't just assume.

Does the TCPA apply differently to SMS versus MMS order confirmations?

Functionally, no. Both SMS and MMS count as "calls" under 47 U.S.C. § 227, because the FCC has read the statutory definition of "call" to include text messages. [9] The consent requirements are identical for both.

Where MMS gets tricky is content. An MMS with a product image attached can tip the primary-purpose analysis toward marketing faster than plain text. Send a shipping confirmation as an MMS showing the exact product the customer ordered, and most attorneys call that a gray area. Include a photo of a complementary product or a promo banner, and you're in marketing territory.

For order confirmations, stick to SMS. Plain text is cleaner legally, cheaper to send, and easier to monitor for compliance drift. Save MMS for campaigns where you hold written consent and a clear marketing purpose.

What compliance steps should you set up before sending your first order confirmation text?

Set up these seven things before your first send, and you cover the main risk areas: a visible checkout disclosure, phone number validation, immediate opt-out logging, a locked template, a documented tech stack, a four-year retention policy, and a quarterly review. Here's the sequence.

Step 1: Audit your checkout phone number field. Is there a visible disclosure near it? Does it say texts may follow? Log the disclosure text.

Step 2: Run phone number validation. Scrub submitted numbers against a carrier lookup to spot landlines and disconnected numbers. Remove both before sending. Tools like Twilio Lookup or Numverify do this via API.

Step 3: Configure your SMS platform to log opt-outs immediately. When someone replies STOP, that number must be suppressed before the next send, not merely logged. Test it yourself.

Step 4: Write and lock your message template. Get a compliance review, then restrict edit access so it can't change without another review.

Step 5: Document your technology stack. Note the SMS platform, whether it dials from a stored list or a number generator, and the date you documented it. This is your Duguid defense file.

Step 6: Set a consent record retention policy. Four years minimum. Back up to a second storage location.

Step 7: Set a quarterly review. Every 90 days, check: did any promotional content sneak into transactional templates? Did your platform change? Did a new state law pass?

Teams worried about missing something should review the tcpa fundamentals alongside their state law exposure. If you run outbound calling next to texts, cold calling rules layer on top.

LeadCompliant offers a one-time compliance kit that walks through each step with checklists and template language. Treat it as a starting framework, not a substitute for legal counsel if your program is large.

How do state laws add to the TCPA rules for order confirmation texts?

Federal TCPA sets the floor. States build higher walls. A text that's safe under federal law post-Duguid can still draw a viable state-law claim if you're texting Florida or California residents, especially when your platform uses any form of automation.

California's Invasion of Privacy Act (CIPA) restricts automated communications on its own terms. Florida amended its Mini-TCPA, the Florida Telephone Solicitation Act (Fla. Stat. § 501.059), in 2021 to reach automated text messages more broadly than the post-Duguid federal standard, and Florida plaintiffs' attorneys noticed within weeks. [5] Oklahoma's statute is similarly aggressive. Washington has its own Commercial Electronic Mail Act.

For a small team sending nationally, the safest move is to comply with the strictest applicable state standard across every send rather than trying to geo-fence compliance. You rarely know where a customer's mobile number is registered, and carriers port numbers across state lines all the time.

A rough map of the risk landscape:

StateMini-TCPA or equivalentBroader than post-Duguid ATDS definition?
CaliforniaCIPAYes
FloridaFTSA (2021)Yes
OklahomaOTSAYes
TexasTSCAPartially
WashingtonCEMALimited
All othersFederal TCPA appliesNo

This table reflects general consensus among compliance practitioners as of 2025. It is not legal advice, and state laws change. Verify current statutes before relying on any single row.

Frequently asked questions

Are order confirmation texts automatically exempt from the TCPA?

No, they're not automatic exemptions. Informational texts tied to a transaction get a lighter consent standard (prior express consent rather than prior express written consent), but they still must avoid promotional content, honor opt-outs, and rely on a valid SMS platform. Mix in a discount code and the exemption disappears. The FCC's 2015 Omnibus Order (FCC 15-72) outlines the conditions.

Can I include a coupon code in my order confirmation text?

No. A coupon, promo code, or product recommendation turns the message from transactional to commercial under the FCC's primary-purpose test. That shifts the consent requirement to prior express written consent, and if you don't have that, you have a TCPA violation. Keep marketing in separate message flows with proper written consent.

What happens if a customer gives me a landline number at checkout and I text it?

A text sent to a landline typically generates an automated voice read-out of the message. That counts as an artificial or prerecorded voice call under the TCPA, which carries $500 per call in statutory damages, tripled to $1,500 if willful. Run a carrier lookup before sending any SMS to catch landlines. This is one of the cheapest steps to implement.

Does the Do Not Call registry affect order confirmation texts?

Not directly. The National DNC registry covers telephone solicitations, not transactional messages. A pure order confirmation with no marketing content is not a solicitation, so no DNC scrub is legally required for that message. Add promotional content later and the message becomes a solicitation, so DNC rules apply. Understand the full do not call list framework before mixing message types.

At minimum, four years. The TCPA statute of limitations is four years under 28 U.S.C. § 1658. Some state laws extend the window further. Delete records earlier and you lose the ability to defend claims filed years after the text went out. Store the disclosure text shown to the customer, the phone number, the timestamp, and the IP address.

What does a TCPA-compliant order confirmation text look like?

It has your company name, the specific transaction detail (order number, shipment tracking, delivery date), a plain URL if relevant, and a one-line opt-out like "Reply STOP to unsubscribe." Nothing else. No offers, no survey links, no upsell language. A locked template and a periodic review process keep it clean over time.

Does Facebook v. Duguid make order confirmation texts fully safe now?

It cuts federal ATDS risk for systems that dial from a stored customer list rather than a random or sequential number generator. It does not remove state-law risk. Florida, California, and Oklahoma have ATDS definitions broader than the post-Duguid federal standard. State claims stay viable even when federal ATDS arguments fail. Post-Duguid is a defense, not a safe harbor.

If a customer texts STOP, can I still send them order updates?

This is genuinely unsettled, and practitioners disagree. The FCC's position is that a STOP reply should end all texts from that sender. Some compliance attorneys argue a later purchase creates new consent. The safest approach: after a STOP, add a checkout note that the customer is opting back in to order updates, and log it. Don't just resume sending without that explicit re-engagement step.

Can I use a shared short code for order confirmation texts?

You can, but the FCC and major carriers moved away from shared short codes. In 2021, most carriers deprecated them precisely because they made consent attribution murky: who does STOP apply to when multiple brands share a code? Dedicated short codes or 10DLC (10-digit long codes) with proper A2P registration are the current standard. A shared code today creates both compliance and deliverability risk.

No, not for purely informational transactional texts. Prior express written consent (a signed, clearly disclosed agreement) is the standard for marketing and telemarketing texts. Order confirmations need only prior express consent, which a customer typically gives by entering their mobile number at checkout. The moment your confirmation includes promotional content, the standard jumps to written consent.

What is the penalty for one TCPA violation on an order confirmation text?

Statutory damages are $500 per text for a standard violation and $1,500 per text if the court finds the violation was willful, under 47 U.S.C. § 227(b)(3). There is no statutory cap on aggregate damages, which is why a small batch of non-compliant texts can escalate into a multi-million-dollar class action. The math is simple and plaintiff's attorneys know it.

Does the TCPA apply if I send order confirmation texts through email-to-SMS gateways?

Yes. If the message lands as an SMS on a mobile number, TCPA applies regardless of how you routed it. The FCC looks at what the recipient receives, not how you sent it. Email-to-SMS gateways were sometimes used to argue around TCPA, but that argument has not fared well in federal courts.

How is MMS different from SMS for TCPA purposes when sending order confirmations?

Both SMS and MMS count as texts under the TCPA's definition of calls, so the consent standard is identical. The practical difference is that MMS with images or rich media is more likely to tip the primary-purpose analysis toward marketing, especially with product imagery. For order confirmations, plain SMS is legally cleaner, cheaper, and easier to audit for compliance drift.

Are there FCC-approved examples of transactional texts that don't need extra consent?

Yes. The FCC's 2015 Omnibus TCPA Order (FCC 15-72) named package delivery notifications, order status updates, account balance alerts, and appointment reminders as examples of informational messages that qualify for the lighter consent standard. Each example requires that the message relate solely to the transaction and carry no promotional content.

Sources

  1. Chesbro v. Best Buy Stores, 705 F.3d 913 (9th Cir. 2012): Ninth Circuit found calls linking loyalty programs to transactions crossed into marketing territory even though they appeared transactional
  2. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use a random or sequential number generator; systems dialing from a stored list without such generation do not qualify as an ATDS
  3. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059 (amended 2021): Florida's 2021 Mini-TCPA amendment covers automated text messages more broadly than the post-Duguid federal ATDS standard
  4. U.S. Code, 47 U.S.C. § 227(b)(3), Telephone Consumer Protection Act: Statutory damages under TCPA are $500 per violation, trebled to $1,500 per violation for willful violations, with no aggregate statutory cap
  5. FTC, Telemarketing Sales Rule, 16 C.F.R. § 310, National Do Not Call Registry: The National Do Not Call Registry under 16 C.F.R. § 310 applies to telephone solicitations, not to purely transactional or informational messages
  6. Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017): Ninth Circuit found valid TCPA consent where consumer provided their number in a relevant transactional context with reasonable expectation that texts might follow
  7. U.S. Code, 28 U.S.C. § 1658, Statute of Limitations: The general federal statute of limitations for TCPA claims is 4 years under 28 U.S.C. § 1658
  8. FCC, 47 C.F.R. § 64.1200, TCPA Implementing Regulations: FCC regulations at 47 C.F.R. § 64.1200 require that even informational calls and texts include an opt-out mechanism

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit