Last updated 2026-07-09

TL;DR
Text message marketing is legal in the United States, but it is tightly regulated under the Telephone Consumer Protection Act (47 U.S.C. § 227) and FCC rules. You must have prior express written consent before sending most marketing texts, honor opt-outs promptly, and follow quiet-hour restrictions. Violations cost $500 to $1,500 per individual message, and class actions regularly produce seven- and eight-figure settlements.
Is text message marketing legal in the United States?
Yes. Text message marketing is legal. Full stop.
But legal and unregulated are not the same thing. The Telephone Consumer Protection Act, 47 U.S.C. § 227, passed in 1991 and has been extended by the FCC multiple times to cover SMS and MMS messages sent to cell phones. [1] The law does not ban commercial texting. It sets specific requirements, and if you ignore them, your business is exposed to statutory damages that start at $500 per violation and triple to $1,500 per violation when a court finds the conduct willful. [2]
The FCC's 2012 order tightened things considerably. It requires prior express written consent for marketing texts sent using an automatic telephone dialing system or an artificial or prerecorded voice. [3] A 2024 FCC ruling then clarified that one consumer's consent cannot be shared across multiple unrelated sellers, closing the so-called lead-generator loophole that many list brokers had exploited. [4]
So the framework is simple to state. Consent first, then message. Skip that step and you hand a plaintiff's attorney a per-message damages claim on a silver platter. The text message marketing space has dozens of high-profile settlements that prove the point.
What laws govern text message marketing?
Three layers of law apply at the same time, and you have to satisfy all three.
Federal: the TCPA and FCC rules. The Telephone Consumer Protection Act (47 U.S.C. § 227) is the foundation. [1] The FCC implements it through regulations codified at 47 C.F.R. § 64.1200. The FTC also enforces the CAN-SPAM Act for email, but for SMS the TCPA is the primary federal instrument.
Federal: the Telemarketing Sales Rule. The FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) covers some text-based solicitations, particularly those linked to a telephone sales pitch. [5] It adds its own consent and disclosure requirements on top of the TCPA.
State laws. Several states have passed text-marketing rules stricter than federal law. Florida's 2021 Mini-TCPA (Florida Statutes § 501.059) requires human review before certain texts and limits automated texts to eight calls or messages per 24 hours from a single entity. [6] Washington and Oklahoma have similar statutes. California's CPRA adds data-privacy angles around how you store and use phone numbers. [11] You have to look at the law of the state where your recipient lives, more than where you operate.
The interaction between federal and state law matters for local text message marketing especially. A restaurant running a loyalty SMS program in Miami faces both the TCPA and the Florida Mini-TCPA at once, and the Florida rules are meaningfully stricter.
| Law | Regulator | Key requirement | Damages per violation |
|---|---|---|---|
| TCPA (47 U.S.C. § 227) | FCC / private plaintiffs | Prior express written consent for marketing texts | $500, $1,500 [2] |
| Telemarketing Sales Rule | FTC | Disclosure, consent, do-not-call honoring | Up to $51,744 per violation [5] |
| Florida Mini-TCPA (§ 501.059) | FL AG / private plaintiffs | Human review, 8-message daily cap | $500, $1,500 [6] |
| CPRA (California) | CPPA | Data rights, opt-out of sale/sharing | Up to $7,500 intentional [11] |
What counts as an automated text under the TCPA?
This is where most businesses get tripped up. The TCPA restricts messages sent using an "automatic telephone dialing system" (ATDS), which the statute defines as equipment with the capacity to store or produce telephone numbers using a random or sequential number generator and to dial them. [1]
The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid narrowed that definition. [7] The Court held, in its own words, that an ATDS "must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator." A system that dials from a pre-existing list does not qualify on that basis alone. The ruling took some platforms off the hook. It did not eliminate TCPA risk for SMS platforms that do use random-or-sequential generation, or for messages sent with an artificial or prerecorded voice.
Here is the practical picture. If you send bulk texts from a short code or a 10-digit long code through a commercial platform like Klaviyo, Attentive, Postscript, or SimpleTexting, courts are still split on whether those systems qualify as an ATDS after Duguid. Do not assume Duguid protects you. Consent is the safest defense no matter how your platform works.
One-to-one texts sent by hand from a person's own phone to a customer they know are very unlikely to trigger TCPA liability. Risk scales directly with automation and volume.
Do you need written consent to send marketing texts?
Yes, and the written part is not optional for marketing messages.
The FCC's rules split calls and texts into three buckets: emergency messages, which need no consent; informational or transactional messages, which require prior express consent (oral or written); and marketing or advertising messages, which require prior express written consent. [3]
For marketing texts, that written consent must, per FCC rules, include a clear and conspicuous disclosure that the consumer is authorizing marketing texts, the name of the specific company that will be texting, a statement that consent is not a condition of purchase, and the consumer's signature (which can be an electronic signature under the E-SIGN Act). [3]
The FCC's 2024 one-to-one consent rule adds another layer. A single consent checkbox cannot authorize texts from multiple unrelated businesses. If you bought leads from an aggregator whose consumers checked one box authorizing contact from "marketing partners," that consent is almost certainly insufficient under the new rule. [4]
For local text message marketing where the business signs up its own customers directly, the cleanest approach is a double opt-in. The customer texts a keyword to your short code. You send a confirmation text they must reply to. You log both interactions with timestamps. That paper trail wins cases.
What are the opt-out rules for text marketing?
Federal and industry rules require you to honor opt-out requests immediately, or at least within a commercially reasonable time. Courts have read the older FTC Telemarketing Sales Rule standard as no more than 10 business days, but the practical best practice is within 24 hours. [5]
The CTIA, which represents the wireless industry and sets the standards that carriers enforce, requires you to tell subscribers how to opt out in your initial welcome message, to honor the words STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT as opt-out commands, and to send one final confirmation message after the opt-out and then send nothing else. [8]
Carriers enforce these rules on their own, apart from the courts. If your program draws too many STOP responses or spam complaints relative to total messages, a carrier can block your short code or number. That disruption can hit faster than any lawsuit.
Text someone after they opt out and you have handed a plaintiff two things: a TCPA claim for the post-opt-out message and a strong argument for willfulness, which triples the damages to $1,500 per message. [2] Real settlements turn on exactly this fact pattern. The UnitedHealthcare case and the Albertsons/Safeway settlement both involved allegations of texting after consent was withdrawn.
What time restrictions apply to text message marketing?
The TCPA's quiet-hour rule, at 47 C.F.R. § 64.1200(c), prohibits telephone solicitations before 8 a.m. and after 9 p.m. local time at the called party's location. [1] That "local time" language means you have to know the recipient's time zone, not your own.
Picture a business in California texting subscribers in New York. The window is 8 a.m. to 9 p.m. Eastern, not Pacific. Send a promotional text at 8:30 p.m. Pacific and you have just texted a New Yorker at 11:30 p.m. That is a TCPA violation.
State laws pile on more limits. Florida's Mini-TCPA caps automated texts at eight messages per day from a single company. [6]
The CTIA's guidelines are not law, but carriers enforce them, and they recommend avoiding texts before 8 a.m. and after 9 p.m. in the recipient's time zone, matching the TCPA floor. [8] Most commercial SMS platforms let you schedule messages and apply time-zone logic automatically. If yours does not, that is a real compliance gap.
How much do TCPA violations actually cost?
The statutory damages under 47 U.S.C. § 227(b)(3) are $500 per violation and up to $1,500 per willful violation. [2] That sounds manageable until you do the math. A campaign that texts 50,000 people without proper consent is potentially a $25 million exposure at $500 per text, or $75 million if a court finds willfulness.
Class actions are the real threat. Plaintiffs aggregate thousands or millions of individual $500 claims into one lawsuit. Recent settlements show the scale.
The Credit One Bank TCPA settlement resolved allegations about unwanted calls and texts. The Cash App TCPA class action settlement involved large numbers of recipients. UnitedHealthcare paid $2.5 million over alleged TCPA violations. The Truist Bank TCPA settlement and the Albertsons/Safeway TCPA settlement round out the recent list.
Small businesses are not immune. The TCPA carries a private right of action, so any individual whose number was texted without proper consent can sue in small claims or federal court with no class needed. A local plumbing company that bulk-texts a purchased list of 5,000 numbers faces the same per-message exposure as a Fortune 500 firm. The only difference is who is paying attention.
Defense costs alone, before any settlement, can run $200,000 to $500,000 for a contested TCPA class action. Consent documentation is dramatically cheaper.
Can you legally text customers who gave you their phone number?
Giving you a phone number is not the same as consenting to marketing texts. This is one of the most common misconceptions in outbound.
Say a customer handed over their number to finish a purchase, book an appointment, or fill out a contact form. They gave you transactional consent at best. That covers texts tied directly to that transaction: order confirmations, shipping updates, appointment reminders. It does not authorize promotional texts, discount offers, or upsell campaigns.
To send marketing texts to existing customers, you still need prior express written consent that clearly describes the marketing texts they are agreeing to receive. A checkbox at checkout that reads "I agree to receive text messages from [Company]" works, as long as it is not pre-checked and not buried in fine print. [3]
For local programs targeting repeat customers, a keyword opt-in at the point of sale works well: "Text DEALS to 12345 to get weekly offers." The customer starts the contact. You send a confirmation they reply to. The consent chain is documented. That is about as clean as it gets.
LeadCompliant has a free consent-language checker that flags common gaps in opt-in flows before they become litigation fodder. Worth running your checkout or sign-up flow through it.
What industries face the highest TCPA risk for text marketing?
Any industry that relies on purchased lists, lead aggregators, or high-volume outbound SMS faces elevated risk. Some sectors get sued more than others.
Financial services (banks, debt collectors, insurance) is the most-litigated category. The Credit One and Truist settlements fit a clear pattern of large TCPA exposure in consumer financial products. Healthcare is close behind, as the Kaiser TCPA settlement and the UnitedHealthcare case show.
Retail and grocery chains (see Albertsons/Safeway) have faced cases tied to SMS loyalty programs where opt-in language was ambiguous or opt-outs were not processed cleanly.
Real estate, home services, and auto dealers show up as defendants in smaller cases because they lean hard on purchased leads and third-party dialers.
The common thread is not really industry. It is process. Companies that source phone numbers from lead aggregators, that have no documented consent flow, or that fail to suppress opted-out numbers before a campaign runs are the ones getting sued. Industry is just a proxy for how aggressively companies in that space do outbound.
For the latest enforcement actions and settlements, the TCPA news feed is the fastest way to track what is actively getting litigated.
What is the difference between text message marketing and spam?
Legally, the line is consent and disclosure.
A text is spam, in the TCPA sense, when it is a commercial message sent to someone who never gave written permission, or who has already asked you to stop. It is also spam, in plain terms, when the recipient has no idea who you are or how you got their number.
A compliant marketing text is one where the recipient opted in with proper written consent, the message names the sender clearly, opt-out instructions are present or were provided at enrollment, and the message arrives during permitted hours.
The CTIA's Messaging Principles and Best Practices document lays out what separates a legitimate SMS program from a spam operation. [8] Following those standards also protects you from carrier filtering, which is a separate and faster enforcement mechanism than the courts.
There is a grey zone too. Texts that are technically compliant in form but aggressive in frequency or deceptive in content. A company that sends 10 texts a day to people who checked a box expecting one message a week may hold valid consent and still draw carrier action, an FTC inquiry, or both.
How do you run a legally compliant text message marketing program?
The compliance checklist is not complicated. Executing it consistently is where companies fail.
Get real written consent before you send anything. Document it: the exact language the consumer agreed to, the timestamp, the IP address or store location, and the method (web form, paper form, keyword opt-in). Do not rely on verbal consent for marketing messages. [3]
Use a compliant opt-in mechanism. For digital, use an unchecked checkbox, a clear description of what the consumer is signing up for, the company name, a frequency disclosure ("up to 4 msgs/month"), and a link to your Privacy Policy and Terms. For in-store or local text message marketing, use a keyword opt-in to a short code followed by a double opt-in confirmation. [8]
Maintain a real-time suppression list. Every STOP response goes into a list that is checked before every send. This is not optional. It is the single most important operational step. Use an SMS platform that automates it.
Respect time zones. Configure your platform to send only during 8 a.m. to 9 p.m. local time for each recipient. [1]
Identify yourself. Every message should name the sender. "[Company name]: Your 20% discount is waiting..." is fine. An unknown short code with no sender identification fails the FTC's Telemarketing Sales Rule disclosure requirements. [5]
Audit your consent records periodically. If you cannot produce a consent record for any number on your send list within 24 hours, you have a compliance gap.
LeadCompliant's free TCPA compliance kit includes consent language templates, suppression list audit procedures, and a send-time calculator. Running through it once a quarter takes less time than reading a demand letter.
For jurisdiction-specific questions, especially in Florida, California, or Washington, a consultation with a TCPA lawyer familiar with your state's overlay rules is money well spent.
What happens if you receive a text you never consented to?
If you are on the receiving end of unwanted marketing texts, you have real options.
First, reply STOP. Carriers require senders to honor it, and the sender is legally required to stop under both TCPA and CTIA rules. [8] Text you again after a STOP and that is an actionable violation.
Second, you can file a complaint with the FCC through its consumer complaint center at consumercomplaints.fcc.gov. The FCC forwards complaints to the carrier and the sender. [9]
Third, you can file a complaint with the FTC at reportfraud.ftc.gov, particularly if the texts are deceptive or tied to a scam. [10]
Fourth, if you have received multiple texts without consent or after opting out, you may have a private right of action under 47 U.S.C. § 227(b)(3). The statute lets you sue for $500 per violation without proving actual damages. Consult an attorney if the volume is significant. The article on how to stop robocalls has practical steps that apply to unwanted texts too.
Businesses worried about their own exposure should treat these same complaint channels as signals. If your number is drawing FCC complaints, you will hear about it from your carrier before you hear from a lawyer.
Frequently asked questions
Is it legal to send marketing texts without prior consent?
No. Sending marketing texts using an automated system without prior express written consent violates the TCPA (47 U.S.C. § 227). Each message is a separate violation worth $500 to $1,500 in statutory damages. The only narrow exceptions are emergency communications and certain purely transactional messages from companies with an established business relationship, and even those exceptions have limits under FCC rules.
Can I text someone who gave me their phone number to make a purchase?
Not automatically for marketing purposes. Providing a phone number to complete a transaction gives you transactional contact rights, covering things like receipts and shipping updates. Promotional texts require separate prior express written consent that specifically describes marketing messages. A checkout opt-in checkbox (unchecked by default) with clear language about marketing texts is the standard fix.
What is prior express written consent for text marketing?
It is a written agreement, including an electronic signature, in which the consumer clearly authorizes a named company to send marketing texts to their number. The FCC requires the disclosure to state that consent is not a condition of purchase, to identify the sender by name, and to describe the type and approximate frequency of messages. A pre-checked box or buried fine print does not meet this standard.
What are the quiet hours for text message marketing?
The TCPA prohibits telephone solicitations, including marketing texts, before 8 a.m. and after 9 p.m. local time at the recipient's location, not the sender's. If your business is in Los Angeles and your customer is in Miami, you must use Eastern time for that recipient. Some states impose narrower windows, so check state law for your recipient's jurisdiction.
How quickly do I have to honor a text opt-out?
Immediately, in practice. CTIA guidelines require honoring STOP requests without delay and sending one confirmation message, then nothing further. Courts and the FTC have cited the 10-business-day maximum in the Telemarketing Sales Rule as a backstop, but any delay beyond 24 hours is a compliance risk. Texting someone after they have replied STOP is one of the most actionable TCPA fact patterns.
Does the TCPA apply to texts sent from a regular cell phone?
The TCPA applies when messages are sent using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice. After the 2021 Supreme Court ruling in Facebook v. Duguid, an ATDS must use random or sequential number generation. A human manually typing and sending texts one at a time from a personal phone is very unlikely to qualify. But bulk SMS platforms, even when dialing from a list, may still qualify depending on their technical architecture.
Are there different rules for local text message marketing vs. national campaigns?
Federal TCPA rules apply uniformly regardless of geography. The difference with local text message marketing is state law. Florida, California, Washington, and Oklahoma all have state-level rules that can be stricter than the TCPA. A local loyalty SMS program in Florida faces Florida's Mini-TCPA, which caps automated texts at eight per day and imposes additional requirements. Always check the state law where your recipients are located.
Can I buy a list of phone numbers and text them?
No, not legally for marketing. Purchasing a list does not transfer consent. The FCC's 2024 one-to-one consent rule makes it explicit: consent obtained through a lead aggregator's catch-all checkbox does not authorize texts from unrelated third-party companies. You need consent given directly to your named company for your specific marketing program. Texting a purchased list is one of the fastest ways to generate a TCPA class action.
What is the FCC's 2024 one-to-one consent rule?
The FCC issued a rule requiring that consumer consent for marketing texts be given to one company at a time, not to a broad class of unaffiliated sellers. A single opt-in form that routes consent to dozens of unrelated businesses no longer satisfies the prior express written consent requirement. This directly targets lead generation aggregators and the companies that buy those leads.
How does the Joseph Snyder vs. Credit One case relate to text marketing compliance?
The Joseph Snyder Credit One TCPA case illustrates how consumers can bring individual TCPA claims based on repeated unwanted contacts. Cases like this one show that you do not need a class action for TCPA exposure. A single plaintiff who received multiple non-consensual texts can collect $500 to $1,500 per message in statutory damages. See the full case breakdown in the article on the joseph snyder credit one tcpa matter.
What records do I need to keep to prove TCPA compliance?
You need to document the exact consent language displayed to the consumer, the date and time of consent, the method (web form, keyword opt-in, paper form), the consumer's identifying information, and your suppression list with opt-out timestamps. If your platform cannot export this data per subscriber, you have a gap. Courts place the burden on the sender to prove consent. You cannot rely on the consumer to disprove it.
Do non-profit or political text messages have to follow TCPA rules?
Political and non-profit messages sent by a human manually (peer-to-peer texting) to individual contacts have been argued to fall outside the ATDS definition after Facebook v. Duguid. However, bulk automated political texts are still subject to TCPA scrutiny. Non-commercial charitable solicitations may have reduced restrictions under FCC rules, but the exemptions are narrow and the FCC has not granted blanket relief for non-profit marketers.
What should my initial opt-in confirmation text include?
Your first message after someone opts in should confirm enrollment, state the program name, describe message frequency (e.g., "up to 4 msgs/month"), note that message and data rates may apply, and explain how to opt out ("Reply STOP to cancel"). This is both a CTIA requirement enforced by carriers and a best practice that documents the consumer's acknowledgment of the program terms.
Can a TCPA lawsuit be filed in small claims court?
Yes. The TCPA's private right of action under 47 U.S.C. § 227(b)(3) does not require a minimum claim amount, so individuals can bring TCPA claims in small claims court for as little as one or two unauthorized texts. The $500-per-violation statutory damages figure makes small claims a practical venue for individual plaintiffs. This means even a tiny outbound campaign with sloppy consent practices can generate many individual suits.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA restricts calls and texts made using an ATDS or artificial/prerecorded voice, prohibits solicitations before 8 a.m. or after 9 p.m. local time
- U.S. Government Publishing Office, 47 U.S.C. § 227(b)(3), statutory damages: Statutory damages of $500 per violation, up to $1,500 for willful violations
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR requires disclosure and consent for telemarketing solicitations, civil penalties up to $51,744 per violation
- Florida Legislature, Florida Statutes § 501.059, Florida Telephone Solicitation Act (2021 Mini-TCPA): Florida Mini-TCPA limits automated calls and texts to eight per day from a single entity, requires human review before certain automated texts
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use random or sequential number generation to store or produce numbers; a system dialing only from a stored list does not qualify
- FCC, Consumer Complaint Center: Consumers can file complaints about unwanted texts with the FCC, which forwards them to the carrier and the sender
- FTC, Report Fraud: FTC accepts consumer complaints about deceptive or unwanted commercial texts
- California Privacy Protection Agency, California Privacy Rights Act (CPRA): CPRA imposes data rights and opt-out requirements on businesses handling California residents' personal data including phone numbers; intentional violations up to $7,500 each