MMA mobile messaging best practices for outbound compliance

The MMA's mobile messaging guidelines meet TCPA's $500, $1,500-per-text penalties. Here's what outbound teams must do to stay compliant in 2026.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Hands holding a smartphone at a desk showing an outbound mobile messaging conversation
Hands holding a smartphone at a desk showing an outbound mobile messaging conversation

TL;DR

The Mobile Marketing Association's best practices for mobile messaging line up with TCPA rules: get prior express written consent before you send marketing texts, kill opt-outs instantly, name your brand in every message, and never send outside 8 a.m. to 9 p.m. in the recipient's local time. Violations cost $500 to $1,500 per text.

What are the MMA mobile messaging best practices and why do they matter for compliance?

The Mobile Marketing Association's U.S. Consumer Best Practices for Messaging Programs is the industry rulebook that outbound teams treat as the floor for a compliant SMS program [1]. It covers short code campaigns, long code programs, toll-free text, and app-based push. It mirrors the Telephone Consumer Protection Act almost point for point.

Why care about an industry document when federal law already governs this? Two reasons. First, the FCC and private plaintiffs use industry standards to show what a reasonable sender should have known. Deviate from the MMA guidelines, get sued under TCPA, and that deviation becomes evidence of willful noncompliance. That's the moment per-message penalties jump from $500 to $1,500 [2].

Second, carriers enforce these norms through their own acceptable use policies. AT&T, Verizon, and T-Mobile filter or block traffic that breaks MMA norms. So noncompliance isn't only a legal problem. It's a deliverability problem.

The MMA is not a government body. Its guidance has no independent legal force. In practice, though, it works as a de facto rulebook, because the major aggregators (Sinch, Bandwidth, Twilio) cite it in their terms, and the CTIA's Short Code Monitoring Handbook, which carriers actually enforce, builds on the same principles [3].

Following MMA best practices is the cheapest insurance an outbound SMS team can buy.

The MMA splits consent into three tiers, and each one maps onto TCPA's framework [2]. Match the consent to the message and you're on solid ground. Guess, and you're exposed.

Promotional or marketing messages need prior express written consent. The consumer has to take an affirmative step: sign a paper form, check an unchecked opt-in box, reply to a keyword, or scan a QR code that clearly describes the program. A pre-checked box does not count. Consent buried twelve paragraphs into a privacy policy does not count. The opt-in has to spell out four things: that they'll get autodialed or prerecorded marketing messages, the brand name, approximate message frequency, and that consent is not a condition of purchase [2].

Transactional or informational messages (shipping alerts, appointment reminders, fraud alerts) need prior express consent, one tier down. The consumer just has to have handed over their number in a context that reasonably implies those messages, like typing a phone number at checkout for order updates.

Service messages tied to an active account relationship need no separately obtained consent under TCPA. The MMA still expects a clear opt-out.

The MMA also warns against "list rental" or "co-registration" consent, where a consumer checks one box and gets enrolled in messages from a dozen partners. The FCC's 2023 one-to-one consent rule, partially stayed pending litigation but still worth watching, aimed to kill exactly that model [4]. Even without that rule fully in effect, buying "consented" lists from lead aggregators is dangerous ground. A plaintiff's attorney can subpoena the full consent chain. If it breaks anywhere, you own the liability.

For text message marketing, consent is everything. Get it right before you send a single message.

What must every compliant outbound text message contain?

The MMA requires specific disclosures across the life of a marketing program, more than at the initial opt-in [1]. Miss any of them and you've got a separate compliance problem.

At program enrollment (the first message after opt-in), every consumer has to receive:

  • Brand name or program name, clearly stated
  • Customer care contact (a phone number or email for help)
  • Opt-out instructions ("Reply STOP to unsubscribe")
  • Message frequency ("Msg frequency varies" or a specific number like "4 msgs/month")
  • "Msg & data rates may apply"
  • A link to your privacy policy and terms of service

After that first message, the brand name has to appear in every message you send. Part carrier requirement, part common sense. A consumer who gets a text from an unfamiliar short code and can't tell who sent it reports it as spam, and that tanks your sender reputation.

HELP always triggers a reply with the same basic program info. STOP, and its equivalents (CANCEL, END, QUIT, UNSUBSCRIBE), triggers an immediate opt-out confirmation and zero further marketing. The MMA says that confirmation should read something like "You've been unsubscribed from [Brand]. You will receive no further messages." One confirmation after STOP is allowed. Any marketing after that is a TCPA violation [2].

Keep the disclosures tight. Nobody reads a wall of text in SMS. The MMA guidance admits that length is a real constraint, which is why it lets you link to a full-terms page instead of stuffing everything into 160 characters.

Key TCPA and MMA compliance thresholds for outbound SMS Four numbers every outbound messaging team must know 500 Minimum TCPA penalty per text (no consent) 1,500 Maximum TCPA penalty per text (willful violation) 2,100 Quiet hours start (recipient local time, 24h) 10 Opt-out honor window, DNC registry (business days) Source: 47 U.S.C. § 227 (TCPA); 47 C.F.R. § 64.1200 (FCC); CTIA Short Code Monitoring Handbook

What are the allowed hours for sending outbound marketing texts?

No marketing texts before 8 a.m. or after 9 p.m. in the recipient's local time. The MMA mirrors TCPA's calling-hour rule here [2]. Not your time zone. Theirs.

This trips up teams more than you'd expect. A New York company scheduling a campaign at 8:30 a.m. Eastern is texting California subscribers at 5:30 a.m. That's a TCPA violation, an MMA violation, and a guaranteed pile of carrier spam complaints.

When you don't have the subscriber's actual address, the MMA says target by the area code of the number. Reasonable proxy. Not perfect, because people move, but courts have generally accepted good-faith time-zone estimation by area code as a defense.

For campaigns that send at scale, use a platform that supports time-zone-aware scheduling. This is not a bonus feature. It's the line between a clean program and a class action.

Some carriers layer their own quiet hours on top of the legal minimum, sometimes blocking messages before 9 a.m. or after 8 p.m. local. Check your aggregator's acceptable use policy. Carrier filtering happens upstream of legal enforcement, and getting charged for blocked messages is a real operational headache.

How does the MMA framework handle opt-outs and do-not-contact lists?

The MMA requires immediate opt-out processing. When a consumer replies STOP, your platform has to suppress that number from every future marketing send in that program. The Telemarketing Sales Rule gives companies 10 business days to honor a do-not-call request tied to the National Do Not Call Registry [5], but SMS keyword opt-outs are expected to work instantly, because automation makes that trivial.

Suppression lists are not optional. You maintain a program-level list of opted-out numbers and check every outbound batch against it before it goes. Run multiple programs (one for promotions, one for loyalty, one for event alerts) and the MMA wants a company-wide suppression list that captures any STOP from any program, unless your opt-in clearly described separate programs and the consumer opted into each.

Carriers and aggregators flag accounts that re-message opted-out subscribers. In bad cases they suspend the short code. In worse cases the consumer sues. The Credit One TCPA settlement and the Cash App TCPA class action settlement both involved allegations of contacting people who had already asked to stop. That's how expensive ignoring opt-outs gets.

For teams running calls alongside texts, check the do not call list and the mobile phone do not call list before dialing too. Mobile numbers land on the National DNC Registry, which applies to voice calls more than texts, so your suppression has to cover both channels.

What message frequency limits does the MMA recommend?

The MMA sets no hard number on frequency. It requires two things: disclose the frequency at opt-in, and make your actual sending match what you disclosed [1]. Say "up to 4 messages per month" and send 14, and you've broken the agreement the consumer consented to. Those extra messages may have no valid consent behind them.

The practical guidance from the MMA and carrier acceptable use policies is to keep promotional messages at a frequency the consumer would expect from a program they chose to join. High-frequency senders (daily deal programs, sports score alerts) can run more if the opt-in set that expectation up front. Most lead nurturing and sales programs stay under 4 to 8 messages a month.

Frequency is a deliverability issue too, separate from the law. Carriers read complaint rates as a spam signal. Once more than about 0.3% of your messages in a period draw spam complaints, filtering starts. Overloading subscribers is the fastest way to hit that number.

Need to raise frequency? Message your existing subscribers about the change before it takes effect, and give them a clean way to opt out if the new pace doesn't work. Not legally required. Good practice, and it protects the consent you already have.

How do MMA guidelines apply to different message types: P2P, A2P, short code vs. long code?

This is where teams get confused. The MMA and TCPA both care about the technology you use and the nature of the message.

Application-to-Person (A2P) messaging, which is what nearly all outbound sales and marketing SMS is, falls under the full MMA best practices and TCPA requirements. Doesn't matter if you send via a dedicated short code, a 10-digit long code (10DLC), or a toll-free number. If software automates or initiates the send to a list of consumers, it's A2P.

Short codes (5 or 6 digit numbers) go through a carrier vetting process managed by the Short Code Registry. The CTIA's Short Code Monitoring Handbook requires explicit opt-in language on every call-to-action, and carriers audit it actively [3]. Short codes allow higher throughput (hundreds of messages per second) but cost more to lease, roughly $500 to $1,000 per month for a dedicated code [3].

10DLC (10-digit long code) requires Campaign Registry registration for A2P use. Carriers route unregistered 10DLC traffic through lower-reliability paths or filter it outright. Registration covers your brand and your specific campaign use case. Messaging fees and throughput limits vary by carrier and registration tier.

Toll-free numbers can send A2P at moderate volume but require toll-free verification with the aggregators. Unverified toll-free numbers hit daily sending caps (around 2,000 messages a day as of 2024, though carrier policies keep shifting).

Person-to-Person (P2P) messaging between two individuals doesn't trigger TCPA's automated dialer provisions. It's also not a realistic channel for outbound sales at scale, and trying to fake P2P through software to dodge TCPA is exactly what the FCC has punished.

ChannelThroughputCost approx.Carrier Vetting Required
Dedicated Short CodeHigh (100+ msg/sec)$500, $1,000/mo leaseYes, CTIA/SCR review
10DLC (registered)Moderate (varies by tier)Low per-messageYes, Campaign Registry
Toll-Free (verified)Moderate (~2,000/day unverified)Low per-messageYes, aggregator verification
P2P Long CodeVery lowNear zeroNo (but can't scale)

What disclosures are required at the point of opt-in under MMA best practices?

The opt-in moment is the most legally consequential moment in an SMS program. Everything downstream depends on it being valid.

The MMA requires that the call-to-action, the place where a consumer decides to join, display all of the following before they confirm enrollment [1]:

1. Program or brand name 2. Description of the types of messages they'll receive 3. Message frequency ("Msg frequency varies" is fine if you genuinely can't predict it) 4. "Msg & data rates may apply" 5. How to opt out ("Reply STOP to cancel") 6. How to get help ("Reply HELP for help") 7. Link to privacy policy 8. Link to terms and conditions 9. Statement that consent is not a condition of purchase (for marketing messages)

For web opt-in forms, the standard layout puts items 1 through 5 right below the phone number field, above the submit button. Label that button "Join" or "Subscribe," not a generic "Submit" that hides what the consumer is agreeing to.

For keyword opt-in (consumer texts a keyword to your number), the call-to-action that prompted the keyword, whether a flyer, web page, or in-store sign, still has to display those disclosures. The consumer never sees them inside the texting flow, so they have to live on whatever prompted the text.

Save screenshots or logs of every opt-in. When a plaintiff's attorney sends a demand letter, the first thing they ask for is proof of consent. Can't produce it, and you're negotiating from a very weak position.

How does the FCC's TCPA enforcement interact with MMA guidelines?

The TCPA, at 47 U.S.C. § 227, prohibits using an automatic telephone dialing system or prerecorded voice to call or text a cell number without prior express consent [2]. The FCC implements and enforces the rules under 47 C.F.R. § 64.1200 [11].

The statute says anyone who violates it is liable for "actual monetary loss" or $500 per violation, whichever is greater, and courts may triple that to $1,500 for willful or knowing violations [2]. Each text is a separate violation. Send 10,000 texts without consent and your exposure starts at $5 million, before any class gets certified.

The FCC has issued a run of orders that shape how these rules hit modern texting. Its 2012 TCPA order required prior express written consent for marketing texts and calls to cell phones using autodialers, replacing the old opt-out model [6]. Its 2023 order on one-to-one consent, though partially stayed by the 11th Circuit pending review, targeted lead generation consent chains where one form bundled consent for dozens of sellers [4].

The MMA guidelines are not FCC rules. But in TCPA litigation, plaintiffs regularly argue that straying from MMA or CTIA standards proves the kind of knowing disregard that justifies treble damages. The FCC itself has cited industry standards in enforcement actions to establish what a reasonable sender should have known.

Run outbound calls alongside your SMS program and the same statute governs voice. See our explanation of cold calling rules and the do not call telemarketer list requirements for the voice side.

What does a compliant outbound SMS program look like in practice?

Here's what a clean setup looks like for a small outbound sales team, step by step.

Step one: define your use case. Lead nurturing? Appointment reminders? Promotional offers? Each use case may need its own campaign registration (especially on 10DLC) and its own opt-in language, because the consent has to match the messages you send.

Step two: build the opt-in. A web form with clear disclosures above the submit button, or a keyword campaign with disclosures on the call-to-action materials. Timestamp and log every consent event: the consumer's number, the date, the form or keyword used, and the IP address for web opt-ins.

Step three: send the onboarding message. Consumer texts in or submits the form. The first automated reply confirms enrollment and restates the program name, frequency, opt-out instructions, and "Msg & data rates may apply." It goes out within seconds.

Step four: build your suppression list. Every STOP reply adds the number to a do-not-contact list that gets checked against every send. Suppress numbers on the National DNC Registry too if your messages could read as telemarketing (the line between informational and promotional blurs fast).

Step five: schedule inside compliant hours. Your platform sends in the subscriber's local time, 8 a.m. to 9 p.m. only.

Step six: monitor complaint rates. Your aggregator dashboard shows spam complaint rates. Spike above 0.3% and you pause, then investigate, before sending more.

Tools like LeadCompliant's free TCPA compliance checkers can audit your consent language and message disclosures before you go live, catching the obvious gaps before they turn into $1,500-per-text problems.

Step seven: keep records for at least four years. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658 [7]. Your consent logs, opt-out logs, and message archives all need to survive that window.

What are the biggest compliance mistakes outbound SMS teams actually make?

Nobody has clean aggregate data on which violation type shows up most in litigation (the plaintiff's bar doesn't publish its target lists). But from FCC enforcement actions, publicly filed class actions, and carrier enforcement, a few patterns repeat.

Buying lists. Purchasing phone numbers and texting them without independent consent is the fastest way to get sued. The seller's consent documentation rarely survives scrutiny. The 2015 FCC Omnibus Order was explicit: consumers must have consented to messages specifically from the seller, not "marketing messages from our partners" [6].

Texting after STOP. Any system that resets opt-out status when a number reappears in a new upload, or any workflow that re-adds suppressed numbers, is an automated liability machine. This is the allegation pattern in dozens of large TCPA settlements.

No time-zone controls. Small teams schedule in their own local time without checking recipients. Early-morning texts draw high spam complaint rates and are per se TCPA violations.

Weak opt-in records. "We use a web form" is not a defense if you can't produce the actual consent record for a specific number on a specific date. You need server logs or CRM records tying a timestamp, an IP, and a phone number to an opt-in event.

Misclassifying messages. Calling something "transactional" when it actually promotes a product is wishful thinking courts don't buy. If the message would make a consumer more likely to purchase, it's marketing and needs written consent.

Skipping 10DLC registration. Unregistered 10DLC traffic gets filtered. When teams notice delivery failures and jump to a new number without registering, they spin up a cycle of compliance gaps and carrier problems.

If your team also does outbound calling, check how to get the do not call list and scrub both channels against it. SMS and voice share most of the same consent and suppression requirements.

Are there state laws that add requirements on top of the MMA and TCPA?

Yes, and small teams consistently underestimate this exposure.

California's Invasion of Privacy Act (CIPA) has fueled a wave of lawsuits against companies that record or intercept communications, and plaintiffs have argued certain automated messaging systems qualify [8]. California also sets specific requirements for commercial text messages under its Business and Professions Code.

Florida's Telephone Solicitation Act (FTSA), amended in 2021, created a private right of action for unsolicited texts with its own strict consent requirements. It applies to any text sent to a Florida area code, no matter where the sender sits [9]. FTSA damages can stack on top of TCPA damages.

Washington, Oklahoma, and several other states run their own telemarketing or automated calling statutes that sometimes reach texts [10]. The map is genuinely fragmented and still changing.

The practical advice: don't treat TCPA compliance as enough for a national campaign. Texting into California or Florida in any volume? Get legal advice specific to those states. The MMA best practices don't touch state variations at all. They're federal-focused.

The MMA framework, TCPA, and your aggregator's acceptable use policy together cover the federal floor. State law can raise that floor a lot, and the private plaintiff's bar in Florida and California knows exactly where the gaps are.

Frequently asked questions

Does following MMA mobile messaging best practices protect you from TCPA lawsuits?

Following MMA guidelines cuts your risk sharply but doesn't immunize you. MMA compliance shows you operated like a reasonable industry participant, which matters when a court decides whether a violation was willful. But if you lacked valid consent for even one message, you can still face a $500 to $1,500 per-text claim. MMA compliance is a risk-reduction strategy, not a legal shield.

The Mobile Marketing Association is an industry trade group, not a government body, and it has no independent legal authority. Its best practices carry weight because carriers, aggregators, and courts treat them as the industry standard of care. Deviating from MMA guidance can be used as evidence that a TCPA violation was knowing or willful, which triggers the $1,500-per-message treble damages provision.

Can I text a mobile number that's on the National Do Not Call Registry?

The National DNC Registry was built for voice telemarketing calls, not texts, so its legal application to SMS is contested. Even so, many legal teams advise scrubbing DNC numbers from marketing text lists, especially if your texts have a promotional character. The FCC has indicated that texts with a solicitation purpose can fall under TCPA provisions that line up with DNC protections. When in doubt, suppress.

What's the difference between short code and 10DLC for outbound compliance?

Short codes (5-6 digits) go through a CTIA vetting process and support very high throughput, but cost $500 to $1,000 a month to lease. 10DLC (10-digit long codes) require Campaign Registry registration for A2P use and support moderate throughput at lower cost. Both need the same opt-in disclosures and consent standards. Neither is inherently more compliant. The consent and opt-out practices behind the number are what matter legally.

The TCPA's statute of limitations under 28 U.S.C. § 1658 is four years from the date of the violation. Keep consent records, including the phone number, timestamp, opt-in method, and the exact opt-in language the consumer saw, for at least four years. If litigation hits, these records are your primary defense. A suppression log showing when a number opted out matters just as much.

What keywords must I support for opt-out in a compliant SMS program?

The MMA and CTIA both require that STOP, CANCEL, END, QUIT, and UNSUBSCRIBE all trigger an immediate opt-out and confirmation message. The confirmation can mention how to re-subscribe but must send zero further marketing. HELP must trigger a reply with your brand name, contact information, and opt-out instructions. These keyword responses have to stay active at all times, including during scheduled quiet hours.

Is buying a list of "consented" phone numbers from a lead vendor legal for SMS?

This is one of the highest-risk practices in SMS marketing. The FCC has made clear that TCPA consent must be specific to the seller sending the message. Consent from a third-party lead form that bundles opt-ins for multiple companies almost never survives legal scrutiny. If a plaintiff's attorney subpoenas the consent chain and finds a gap, you're liable regardless of what the vendor told you. Treat purchased lists as unconsented by default.

What message frequency is allowed under MMA guidelines?

The MMA sets no hard per-month cap, but it requires that your actual sending frequency match what you disclosed at opt-in. If your opt-in said 'up to 4 messages per month' and you send 12, those extra messages may lack valid consent. Most promotional programs stay under 4 to 8 messages a month. High-frequency programs (daily alerts) are allowed if the opt-in clearly set that expectation and the consumer agreed.

Do transactional texts like appointment reminders need the same consent as marketing texts?

No, but they still need consent. Transactional or informational messages require prior express consent, meaning the consumer gave you their number in a context that reasonably implies those messages, like booking an appointment. Marketing messages require the higher standard of prior express written consent, with an affirmative opt-in step and specific disclosures. The risk is misclassifying a promotional message as transactional, which courts scrutinize closely.

What happens if I text someone outside the 8 a.m. to 9 p.m. window?

Texting outside 8 a.m. to 9 p.m. in the recipient's local time is a TCPA violation, period. Each out-of-hours message carries $500 to $1,500 in potential liability. Time-zone errors are a common source of class action allegations because they're easy to prove at scale. Use a platform that schedules delivery by the subscriber's local time, estimated at minimum by area code.

How do carrier spam complaint rates affect my compliance posture?

Carriers use spam complaint rates, the percentage of recipients who report your messages as spam, as a filtering signal. Rates above roughly 0.3% can trigger filtering or suspension of your sending number. High complaint rates also point to underlying consent problems, since people who genuinely opted in rarely report messages as spam. A rising complaint rate is both a deliverability warning and a signal that your consent or frequency practices need review.

Do MMA best practices apply to texts sent from CRM platforms like Salesforce or HubSpot?

Yes. If software initiates or automates the send, even from a CRM, it counts as A2P messaging and falls under TCPA and MMA requirements. A human clicking 'send' inside a CRM may or may not remove the ATDS characterization depending on the system's architecture, but the consent and opt-out requirements apply regardless. Many CRM platforms now offer built-in 10DLC registration and consent management to help with this.

What's the risk of using a shared short code for outbound SMS marketing?

Shared short codes, where multiple brands share one 5-6 digit number distinguished only by keywords, were deprecated by major carriers in 2021. Most carriers stopped supporting them because they made it hard for consumers to tell who texted them and blocked effective opt-out processing. If you're still on a shared short code, migrate to a dedicated short code, a registered 10DLC number, or a verified toll-free number as soon as you can.

Can employees send compliant cold texts to prospects without prior consent?

Not as a marketing or sales solicitation, no. TCPA's prior express written consent requirement applies to automated or prerecorded messages to cell phones. A truly manual text sent one at a time from an individual's personal phone, without software automation, is more defensible but still risky. Most outbound SMS programs use software, which makes them A2P and requires consent. There's no reliable cold-text loophole for sales outreach.

Sources

  1. Mobile Marketing Association, U.S. Consumer Best Practices for Messaging Programs: MMA Best Practices establish required disclosures, opt-in standards, and opt-out keyword requirements for A2P messaging programs
  2. 47 U.S.C. § 227, Telephone Consumer Protection Act (via Cornell LII): TCPA prohibits autodialed or prerecorded calls/texts to cell phones without prior express consent; violations are $500 per violation, up to $1,500 for willful violations
  3. FTC, Telemarketing Sales Rule, 16 C.F.R. § 310.4: Telemarketing Sales Rule requires honoring do-not-call requests within 10 business days; the National DNC Registry was established for voice telemarketing
  4. 28 U.S.C. § 1658, Federal Statute of Limitations (via Cornell LII): Federal catch-all statute of limitations is four years, applicable to TCPA claims; consent and opt-out records should be retained for at least four years
  5. California Penal Code § 630 to 637.9, California Invasion of Privacy Act: California's Invasion of Privacy Act has been cited in lawsuits targeting automated messaging systems for recording or interception of communications
  6. Florida Statute § 501.059, Florida Telephone Solicitation Act (FTSA), as amended 2021: Florida's FTSA, amended in 2021, created a private right of action for unsolicited texts with strict consent requirements applying to any text sent to a Florida area code
  7. National Conference of State Legislatures, State Telemarketing Laws: Multiple states including Washington and Oklahoma have their own telemarketing or automated calling statutes that can apply to SMS in addition to federal TCPA requirements
  8. 47 C.F.R. § 64.1200, FCC TCPA Implementing Regulations (via eCFR): FCC implementing regulations for TCPA set out time-of-day restrictions (8 a.m. to 9 p.m. recipient local time) and consent requirements for automated messages

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit