How to write a compliant SMS welcome message for new subscribers

A compliant SMS welcome message must confirm opt-in, name your brand, state message frequency, and include STOP/HELP instructions. Here's exactly how to do it.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-10

Person reviewing an SMS welcome message on a smartphone at a sunlit desk
Person reviewing an SMS welcome message on a smartphone at a sunlit desk

TL;DR

A compliant SMS welcome message does five things: confirms the subscriber's opt-in, names your brand, states message frequency (or says 'recurring messages'), includes 'Reply STOP to cancel' and 'Reply HELP for help,' and notes that message and data rates may apply. Miss any of these and you're exposed to TCPA liability starting at $500 per text.

What makes an SMS welcome message legally compliant?

A compliant SMS welcome message is a legal disclosure. It's not a friendly hello. Under 47 U.S.C. § 227, sending an automated text to a cell phone without prior express written consent, or without the proper disclosures attached to that consent, can cost you $500 per message in statutory damages, and up to $1,500 if the violation is willful [1].

The statute itself doesn't dictate the word-for-word contents of a welcome message. What it says is that prior express written consent is required for autodialed or prerecorded marketing texts [2]. The FCC's rules and guidance, plus the CTIA Messaging Principles and Best Practices, fill in the practical requirements. Courts have repeatedly looked at whether disclosures were clear and conspicuous when deciding whether consent was valid.

Here's what every compliant welcome message needs:

1. Brand identification. Subscribers need to know immediately who is texting them. 2. Confirmation that they opted in. Something like 'You're now subscribed to...' closes the consent loop. 3. Message frequency disclosure. Either specify it ('up to 4 msgs/month') or use 'Recurring messages' as a placeholder. 4. Opt-out instruction. 'Reply STOP to cancel' is the phrase carriers and aggregators expect. 5. Help instruction. 'Reply HELP for help' or 'Text HELP for info.' 6. Message and data rates disclosure. 'Msg & data rates may apply' is the standard phrase.

All six elements. Not five. Not four with the rest hidden behind a terms link.

What does a compliant welcome message actually look like?

Here are two examples, one minimal and one fuller, both compliant.

Minimal version (fits in one SMS if you're careful about the 160-character limit):

'Acme Co: You're subscribed to deal alerts. Recurring msgs. Msg & data rates may apply. Reply STOP to cancel, HELP for help.'

That's 134 characters. It checks every box. Swap 'deal alerts' for whatever your program actually delivers.

Fuller version (fits in an MMS or a two-segment SMS):

'Welcome to Acme Co alerts! You signed up for weekly promo texts (up to 4 msgs/month). Msg & data rates may apply. Reply STOP to unsubscribe at any time, HELP for assistance. Visit acme.com/sms-terms for full terms.'

The fuller version adds a specific frequency count and a link to your full terms. Neither is required by statute. Both cut your litigation risk because they show you made a real effort to be transparent.

One thing surprises a lot of teams: the welcome message is not where you collect consent. Consent happens before the welcome text goes out. It comes through a web form, a paper form, a keyword opt-in (the subscriber texts a keyword to your shortcode), or a recorded verbal opt-in. The welcome text confirms and documents that the opt-in already happened [3].

For more on what SMS programs need to disclose at sign-up, see our guide to text message marketing.

What are the exact TCPA rules for automated text messages?

The core statute is the Telephone Consumer Protection Act, 47 U.S.C. § 227. The subsection that governs texts is 227(b)(1)(A)(iii), which prohibits using an automatic telephone dialing system (ATDS) to call or text any cellular number without the called party's prior express consent [1].

For marketing texts, the FCC's 2012 Order (FCC 12-21) raised the bar to prior express written consent, meaning a signed written agreement (electronic signatures count) that clearly authorizes autodialed marketing messages [4]. 'Prior express consent' without the 'written' qualifier still covers informational texts like appointment reminders or shipping notifications.

The CTIA, the trade association for the wireless industry, publishes Messaging Principles and Best Practices that carriers (AT&T, T-Mobile, Verizon) contractually require senders to follow. These rules call for opt-out and help keywords, program name disclosure in the welcome message, and message frequency disclosures [5]. Break them and carriers can block your shortcode or long code, independent of any lawsuit.

State laws stack on top. California's CPRA, Florida's FTSA (amended in 2023), and other state telemarketing statutes each carry their own requirements that can exceed the TCPA floor. Florida's FTSA created a private right of action for texts sent with an 'automated system' without proper consent, with no need to prove the federal ATDS definition [6]. If your list includes Florida residents, treat every text as if it were sent under the strictest standard.

A practical note on the ATDS definition: the Supreme Court's 2021 ruling in Facebook v. Duguid narrowed what counts as an ATDS under federal law. That ruling does nothing for you against state statutes that use their own definitions. Plan for the stricter state floors, not the federal ceiling [7].

You can see how badly this goes wrong in cases like the cash app tcpa class action settlement and the credit one tcpa settlement, both involving automated messaging without adequate consent documentation.

TCPA text message penalties at a glance Statutory damages per violation under 47 U.S.C. § 227(b)(3) $500 Per violation (standard) $1,500 Per violation (willful/know… $2,012 FCC 2012 Order year (prior express written cons… $2,023 FCC one-to-one consent rule order year Source: Cornell Law School Legal Information Institute, 47 U.S.C. § 227

How do STOP and HELP keywords work, and are they required?

STOP and HELP are technical requirements enforced at the carrier level, and the FCC treats honoring opt-out requests as a consent obligation [4]. They're not optional courtesy.

When a subscriber texts STOP to your number, your platform has to send an immediate confirmation and stop all marketing messages from that number. The standard confirmation reads: 'Acme Co: You've been unsubscribed. No more messages will be sent. Text START to resubscribe.'

HELP, when texted back, should return your program name, a phone number or email for support, and optionally a link to your terms. For example: 'Acme Co alerts: For help, call 1-800-555-0100 or visit acme.com/contact. Text STOP to cancel.'

Carriers support a family of opt-out keywords, more than just STOP. The standard list is STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT. Your platform needs to honor all of them. Most reputable SMS platforms handle this automatically. Verify it in the documentation instead of assuming.

If a subscriber opts out and you keep texting, that's a clean, easy-to-prove TCPA violation. Plaintiffs don't have to show intent. The text hit the phone. That's enough.

Teams get re-consent campaigns wrong all the time. If someone texted STOP, you can send a single re-consent message asking if they want back in, but only if they reached out to you first, or if your original consent language specifically disclosed that you'd send a re-consent offer. Blasting a marketing-flavored re-consent to your full opt-out list is a lawsuit waiting to happen.

Does 'msg & data rates may apply' actually need to be in every welcome text?

Yes, and the CTIA treats it as non-negotiable in the welcome message. 'Msg & data rates may apply' (or 'Message and data rates may apply' spelled out) tells subscribers that your texts may count against their carrier plan. For people on limited plans, that matters.

The disclosure doesn't need to repeat in every later text. CTIA guidelines require it at opt-in and in the welcome message [5]. After that, you're covered as long as the original disclosure was clear. The welcome text is your best documented proof that the subscriber saw this before any program messages arrived.

Some platforms abbreviate it as 'Msg&data rates may apply.' Fine. Carriers accept common abbreviations here. What you can't do is drop it from the welcome flow and bury it in web terms, because courts and the FCC look at what the subscriber actually saw at opt-in, not what was theoretically available three clicks deep.

What message frequency disclosure is required?

CTIA guidelines require either a specific frequency ('up to 4 msgs/month') or a general disclosure ('Recurring messages') in your welcome text [5]. Which one you pick depends on whether your program sends a predictable volume.

Run a weekly deal alert? Say '1 msg/week.' Run a triggered program with variable volume? 'Recurring messages' works. What you can't do is say nothing, or hide behind vague language like 'occasional updates,' which gives subscribers no realistic picture of what they signed up for.

Be conservative. If you say 'up to 4 msgs/month' and send 10 in a peak month, that's a misrepresentation in your consent disclosure. Plaintiffs' attorneys hunt for exactly this gap between disclosed and actual frequency.

When your frequency genuinely swings, err toward 'Recurring messages' and set an internal cap. Consent obtained with an accurate frequency disclosure is far easier to defend than consent obtained with an optimistic one.

Can you use a long code instead of a shortcode, and does it change compliance requirements?

The compliance requirements in your welcome message stay the same no matter the number type: a 5-6 digit shortcode, a 10-digit long code (10DLC), or a toll-free number. Brand name, frequency, STOP/HELP, rates disclosure. All required on all of them.

What changes is carrier registration and throughput limits. Since late 2023, the major U.S. carriers require all commercial 10DLC traffic to be registered through The Campaign Registry (TCR), with a registered brand and campaign [8]. Unregistered 10DLC traffic gets filtered or blocked. Shortcodes go through a separate carrier vetting process that can take 8-12 weeks.

Toll-free numbers, once verified through the toll-free verification process, can send commercial traffic at reasonable volumes. That verification is separate from TCR registration.

None of this replaces the TCPA consent and disclosure obligations in your welcome text. TCR registration shows carriers you're a legitimate sender. It gives you zero legal cover with the FCC or plaintiffs if you didn't have proper consent.

For how TCPA liability works across channel types, the tcpa overview is worth reading before you design your full program.

What should you do if someone never responds to your welcome message?

Non-response doesn't equal withdrawal of consent. If someone opted in properly and got a compliant welcome message, you can keep sending program messages as disclosed, even if they never reply.

Sending to subscribers who never engage still creates business risk on top of the legal risk. High unengaged lists drag down delivery rates, raise spam complaints, and can get your number or shortcode flagged by carriers. Most compliance-focused teams clean subscribers who never open or click after 90-180 days. Not because the law requires it. Because it's good hygiene.

Where you do need to act is on delivery failures. If a message bounces as undeliverable over and over, that's a signal the number is disconnected or reassigned. Wireless number reassignment is a real TCPA hazard. If the original subscriber's number got handed to a new person, and you keep texting without checking, you're now texting someone who never consented. The FCC's Reassigned Numbers Database, established under 47 CFR § 64.1200, lets senders check whether a number has been reassigned since they collected consent [9].

For high-volume programs, running numbers through the database before each send is worth doing. For smaller programs, checking numbers that have been on your list more than six months is a reasonable minimum.

Documentation is what separates a defensible SMS program from a settlement waiting to happen. In a TCPA case, the burden of proof sits with the sender, not the plaintiff. If a subscriber claims they didn't consent, you have to prove they did [1].

Here's what adequate consent documentation looks like:

  • The opt-in method: screenshot or code snapshot of the web form, keyword opt-in confirmation, or signed paper form.
  • Timestamp: exact date and time the opt-in was recorded.
  • IP address (for web forms): ties the opt-in to a specific device session.
  • The disclosure language the subscriber saw at opt-in: not what your form says today, but what it said when they signed up.
  • The welcome message sent: timestamp, content, and delivery confirmation.

Store this for at least four years. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658 [11]. Some plaintiff attorneys argue state law allows longer windows. Four years is the federal floor.

If you use a third-party platform (Klaviyo, Attentive, Postscript, Twilio, and the like), pull their consent logs on a schedule and store them somewhere you control. Platforms get acquired, change retention policies, or go dark. Your compliance documentation can't live only on their servers.

LeadCompliant's free compliance kit includes a consent documentation template and a welcome message checklist that covers the elements above for both web and keyword opt-in flows.

If your program also involves phone calls or a do-not-call list, read up on the do not call list and mobile phone do not call list obligations so your opt-out processes cover both channels.

What are the most common mistakes in SMS welcome messages?

After reading real TCPA complaints and consent-related litigation, these are the mistakes that show up again and again.

Missing brand name. The subscriber gets a text from a random number with no company name. They have no idea who's contacting them. Even if they opted in an hour ago, a nameless text reads like spam.

Vague or absent frequency disclosure. 'We'll send you updates' tells the subscriber nothing. Courts and arbitrators look at whether the disclosure was clear enough for a reasonable person to understand what they signed up for.

No STOP instruction, or a buried one. 'To opt out, visit our website and update your preferences' does not satisfy CTIA requirements. STOP as a keyword, in the text itself.

Sending the welcome from a different number than later messages. If subscribers opt in on a shortcode but then get texts from a 10DLC number, the opt-out data may not be shared between the two. That means STOP replies to one number don't suppress traffic from the other.

Too long, too salesy. A welcome message is a compliance disclosure, not a sales pitch. If your welcome text is mostly promo with the disclosures crammed into the last line in abbreviated form, a court may find they weren't 'clear and conspicuous.' Keep it functional. Save the sale for the second message.

Delaying the welcome message. If someone opts in and doesn't get a welcome text for 24 hours, they may forget they signed up. Worse, delaying the STOP option means you may be sending more messages before they've had a chance to opt out. Send the welcome text immediately, or within a few minutes at most.

No. A terms link is a best practice, not a legal requirement under TCPA or CTIA guidelines. The six required elements don't include a terms URL.

Still, a short URL to your SMS terms page gives you a place for everything that won't fit in a text: full opt-out instructions, program description, privacy policy, and carrier liability disclaimer. It also helps in litigation, because you can show the subscriber had access to complete disclosures.

If you include a terms link, make sure it works and that the page matches what you disclosed in the welcome text. A mismatch between your frequency claim and what your terms page says is a problem you created for yourself.

Don't gate your terms page behind a login or paywall. Keep it publicly accessible on a stable URL. When you update your SMS terms, archive the old versions with their effective dates.

The FCC issued an order in December 2023 (FCC 23-107), tightening consent requirements for lead generators and affiliate marketing chains [10]. Under the rule, prior express written consent must come from one seller at a time, so a single opt-in form can no longer grant consent to contact the subscriber on behalf of a list of third-party companies.

This doesn't change the content requirements for the welcome message itself. It changes the scope of who you're authorized to contact and under what consent. The practical effect: if you're a lead generator passing leads to multiple buyers, each buyer now needs its own direct consent from the subscriber, not a blanket assignment from the original opt-in.

For direct-to-consumer SMS programs where you're the only brand texting the subscriber, FCC 23-107 has minimal operational impact. Your welcome message still needs the same six elements. But if your program runs on co-registration consent, consent purchased from a third-party list vendor, or affiliate-sourced opt-ins, you need to re-examine every consent flow before those leads receive any texts.

A note on timing. The one-to-one provisions had a phased effective date and the lead-generator piece was vacated by the Eleventh Circuit in early 2025, so the enforcement picture is unsettled. Don't read that as a green light. Carriers, plaintiffs, and future FCC action all still push toward specific, single-seller consent. If you haven't audited your consent acquisition process against the one-to-one standard, do it anyway. It's the direction everything is heading.

Frequently asked questions

How long can an SMS welcome message be?

A standard SMS is 160 characters. You can send a multi-segment message (two or three SMS segments linked together) or an MMS for more space, but most compliant welcome messages fit in one or two segments. Longer isn't better. If your welcome text reads like a wall of legal copy, subscribers tune out and miss the STOP instruction. Aim for 160-320 characters and keep the required elements up front.

No. The TCPA's prior express written consent standard applies to marketing and promotional texts sent via an ATDS. Purely informational messages, like order confirmations, appointment reminders, or password resets, need only prior express consent without the 'written' modifier. The line between informational and promotional isn't always clean. If a transactional text includes a discount code or an upsell, regulators and courts may treat it as marketing.

If consent wasn't collected before the welcome text went out, that first text is itself a potential TCPA violation. The welcome message confirms consent. It doesn't create it. Double opt-in flows, where you send a confirmation request and only activate the subscription after the subscriber replies YES, add a layer of protection and create a clear record that the subscriber actively confirmed they wanted messages.

Can I use emoji or images in a compliant welcome message?

Yes. TCPA and CTIA rules don't prohibit emoji or images. An MMS welcome message with a branded image is fine as long as all six required disclosure elements are present in the text portion. Avoid embedding required disclosures inside an image, because images don't render on all devices and may not be accessible to screen readers. Keep disclosures in plain text.

Is a double opt-in required for SMS programs?

Double opt-in is not required by TCPA or FCC rules, but CTIA strongly recommends it for most commercial programs, and some carriers require it for certain shortcode programs. From a litigation standpoint, double opt-in creates a confirmed record that the subscriber actively opted in, which makes it much harder for a plaintiff to claim they never consented. Single opt-in with strong documentation is legally sufficient. Double opt-in is the safer practice.

What if a subscriber replies to the welcome message asking to stop, but doesn't use the word STOP?

Honor it. FCC guidance has indicated that opt-out requests in plain language, like 'please remove me' or 'don't text me anymore,' must be honored even when they don't match the exact STOP keyword. Ignoring non-standard opt-out language and relying on a technicality is not a defensible position in court. Train your platform, or your human review process, to flag and process these replies as opt-outs.

Does the STOP instruction need to be in the welcome message, or just somewhere in the program?

CTIA guidelines require the STOP instruction in the welcome message specifically, and periodically after that, typically every 30 days or in every fifth message. The welcome message is the most important place because it's the subscriber's first interaction with your program. A text with no opt-out path from the start is both a compliance violation and a consumer experience problem that drives spam complaints.

How long should I keep records of welcome messages sent?

Keep records for at least four years, the federal TCPA statute of limitations under 28 U.S.C. § 1658. Records should include the message content, the recipient's phone number, the delivery timestamp, and the consent documentation that authorized the send. Some state laws have longer limitation periods, so if you operate in states with stricter SMS laws, ask counsel whether a longer retention period applies.

Can I send a welcome message to a number I bought from a list vendor?

Almost certainly not safely. For marketing texts, the required consent must be specific to you as the sender, not a generic consent captured by a third party and sold. Purchased list consent is essentially unusable for TCPA-compliant marketing texts, and carriers filter this traffic aggressively. Texting purchased numbers without your own direct consent documentation is one of the highest-risk moves an SMS program can make.

What's the TCPA penalty for a non-compliant welcome text?

The TCPA creates a private right of action for $500 per violation, which means $500 per non-compliant text. If the violation is willful or knowing, that triples to $1,500 per message under 47 U.S.C. § 227(b)(3). In a class action, where one message type went to thousands of subscribers, those per-message amounts pile up fast. The Cash App TCPA settlement and other high-profile cases show how class certification turns individual $500 claims into eight-figure settlements.

Do state laws add any welcome message requirements beyond what TCPA requires?

Some do. Florida's FTSA carries its own requirements and a lower bar for what counts as an 'automated system,' expanding liability past the federal ATDS definition. California's CPRA adds privacy disclosure obligations for California residents. Texas and Washington have their own telemarketing statutes. A message that's minimally compliant under federal TCPA can still fall short in states with stricter rules. If your list has subscribers in high-litigation states like Florida and California, apply those states' standards across your whole program.

What is The Campaign Registry and do I need it for my SMS welcome message compliance?

The Campaign Registry (TCR) is the central hub carriers use to register 10DLC commercial messaging campaigns. Registration is required for any business sending commercial texts over 10-digit long codes. It doesn't directly affect the content of your welcome message, but unregistered traffic gets filtered by carriers, which means your welcome message may never reach the subscriber. TCR registration is a prerequisite for reliable delivery, not a substitute for TCPA compliance.

How is a keyword opt-in welcome message different from a web form opt-in welcome message?

The required content of the welcome message is the same either way. What differs is the consent mechanics. In a keyword opt-in, the subscriber texts a keyword (like JOIN or DEALS) to your number, and that action itself is prior express consent for the program advertised at the keyword call to action. Your welcome text confirms what they signed up for. With a web form, consent is captured at form submission, and the welcome text confirms and documents it. Both methods are valid.

Sources

  1. Cornell Law School Legal Information Institute, 47 U.S.C. § 227: TCPA statutory damages are $500 per violation, up to $1,500 for willful violations, with a private right of action
  2. Federal Trade Commission (homepage): Consent for text message marketing must be obtained before the first message is sent; a welcome message confirms it
  3. Cornell Law School Legal Information Institute, 47 CFR § 64.1200: FCC rules require prior express written consent for autodialed marketing calls and texts to cell phones
  4. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059, Florida Statutes: Florida FTSA created a private right of action for texts made with an automated system without proper consent, using a broader definition than the federal ATDS standard
  5. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court's 2021 ruling narrowed the federal ATDS definition under TCPA, but state statutes with different definitions remain in force
  6. The Campaign Registry, 10DLC Registration: Major U.S. carriers require all commercial 10DLC traffic to be registered through The Campaign Registry with a brand and campaign record
  7. Cornell Law School Legal Information Institute, 47 CFR § 64.1200: The FCC's Reassigned Numbers Database lets senders check whether a number has been reassigned to a new subscriber since consent was collected
  8. Cornell Law School Legal Information Institute, 28 U.S.C. § 1658: The federal statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit