Opt-in SMS marketing: the complete compliance guide

TCPA requires written consent before you send marketing texts. Learn opt-in types, required disclosures, opt-out rules, and penalties up to $1,500 per message.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-09

Hand holding a smartphone on a wood table, representing SMS opt-in marketing consent
Hand holding a smartphone on a wood table, representing SMS opt-in marketing consent

TL;DR

SMS marketing opt-in means getting written consent from a consumer before you send promotional texts. Under 47 U.S.C. § 227 (TCPA), sending marketing texts without prior express written consent costs $500 to $1,500 per message in statutory damages. Single opt-in is legal but risky. Double opt-in adds a confirmation step that helps prove consent. Every program needs clear opt-out instructions.

Opt-in SMS marketing means one thing: you collect a person's explicit agreement to receive promotional texts before you send a single one. The word "opt-in" carries legal weight, more than polite-marketer weight.

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the federal law that controls this. It prohibits using an automatic telephone dialing system or an artificial or prerecorded voice to call or text a cellular phone without the called party's prior express consent [1]. For marketing messages, the FCC's 2012 order raised that bar to "prior express written consent," which has a precise legal meaning we cover below.

The statute itself covers any call "using any automatic telephone dialing system or an artificial or prerecorded voice" made to "any telephone number assigned to a... cellular telephone service" [1]. Courts have read "call" to include SMS text messages since 2009.

Why does this matter for a small team? The TCPA is a strict-liability statute in most respects. You do not need to intend to break the law to break it. Send 10,000 promotional texts to a purchased list without proper consent and you face exposure of $500 to $1,500 per message. Run that math. It gets ugly fast.

For a full grounding in the statute, see our guide to tcpa and tcpa sms compliance.

Valid written consent under the TCPA is a signed written agreement, which can be electronic, that clearly authorizes marketing texts from your specific company and states that consent is not required to buy anything. That standard comes from the FCC's 2012 Report and Order (FCC 12-21) [2]. Miss any element and your consent may not hold.

The order requires a written agreement that:

1. Is signed by the person. A typed name, a checked box, or a digital signature all qualify as an electronic signature under the E-SIGN Act [11]. 2. Clearly authorizes the sender to send autodialed or prerecorded marketing messages. 3. Discloses that consent is not a condition of purchasing any good or service.

That last point trips up a lot of companies. If your checkout says "enter your phone number to complete your order" with no opt-in language, that is not consent. Consent has to be free. Bundling it with a purchase condition is banned outright.

Consent also has to be specific to your company. A consumer opting in through a lead-gen partner's form does not give you valid consent unless the form named your brand and the consumer agreed to hear from you specifically. The FCC has tightened this. Its January 2024 one-to-one consent order (effective January 2025) requires that each seller be individually and clearly identified at the moment of consent [3].

A compliant web opt-in form needs several things: a clear description of the program, your business name, expected message frequency, a disclosure that message and data rates may apply, links to your privacy policy and terms, an explicit consent checkbox that is not pre-checked, and a line stating consent is not required to make a purchase. Our sms opt-in form resource has templates.

One more thing. Consent attaches to the phone number, not the person's name. If someone gets a new number, whoever inherited the old one inherits no consent. This is why scrubbing your list against the FCC's Reassigned Numbers Database matters [4].

What is the difference between single opt-in and double opt-in for SMS?

Single opt-in means a person submits their number and agrees to texts in one action: checking a box on a web form, or texting a keyword to your short code. You have consent on record and can start sending. Double opt-in adds a confirmation step, where the person replies YES before you enroll them. Neither is required by law, but double opt-in gives you a stronger record.

Here is how the two compare in practice.

FactorSingle opt-inDouble opt-in
Legal sufficiencyYes, if form is compliantYes
Proof of consentForm record + timestampForm record + reply record
Risk of fake numbersHigherLower (bad numbers never confirm)
List deliverabilityLower (more invalid numbers)Higher
Drop-off at enrollmentNone10-30% (rough industry estimate)
Carrier complianceAcceptablePreferred by most carriers

Neither the TCPA nor current FCC rules mandate double opt-in for SMS marketing. Single opt-in is legally sufficient if the original consent meets every written-consent element above [2]. So why bother with the extra step?

Because carriers reward it. AT&T, T-Mobile, and Verizon, along with the CTIA that publishes the messaging guidelines carriers enforce, recommend double opt-in [5]. Carrier filtering penalizes senders with high complaint or opt-out rates. If you run a high-volume program and your deliverability slips, double opt-in usually fixes it.

My honest take: for any program sending more than a few hundred messages a month, double opt-in earns its enrollment drop-off. The cleaner list and the confirmation record both protect you. For a fuller breakdown, see sms double opt-in.

TCPA SMS violation exposure at a glance Key figures every outbound team needs to know 500 $500 per text 1,500 $1,500 per willful violation 4 4-year statute of limitatio… 47M $47M largest known SMS settlement (Jiffy Lube) Source: 47 U.S.C. § 227 (citation 1); FCC 12-21 (citation 2); WebRecon LLC (citation 10)

What disclosures must appear in your SMS opt-in language?

Your SMS opt-in disclosure must name the program, state message frequency, warn that message and data rates may apply, explain how to opt out (Reply STOP), explain how to get help (Reply HELP), and link to your privacy policy and terms. Those elements come from the CTIA's Messaging Principles and Best Practices, which carriers treat as enforceable standards [5]. Getting someone to check a box is not enough. The language around the box decides whether the consent holds.

The required elements:

  • Program name or brand name
  • Message frequency ("Up to 4 msgs/month" or "Msg frequency varies")
  • "Msg & data rates may apply"
  • How to opt out ("Reply STOP to unsubscribe")
  • How to get help ("Reply HELP for help")
  • Links to Privacy Policy and Terms of Service

On a web form, these sit next to or below the phone number field, not buried in general terms. Regulators and plaintiff attorneys ask a simple question: would a reasonable person reading the page clearly understand what they agreed to? Small gray text five scrolls under the button fails that question.

For keyword opt-ins, the confirmation message has to carry most of these elements itself. A proper confirmation text reads something like: "[Brand]: You're signed up for deals. Msg & data rates may apply. Up to 4 msgs/month. Reply STOP to cancel, HELP for help."

FCC enforcement actions have cited missing disclosures as a factor in violation findings, even where some consent existed [2]. State attorneys general in Florida and Washington have brought their own actions focused on weak disclosure language under state SMS laws [6][7].

How should you handle SMS opt-out requests?

Opt-out handling is not optional and not flexible. When a consumer revokes consent, you must honor it. The FCC's 2023 order made this explicit: consumers can revoke consent "at any time and through any reasonable means," and you get a reasonable time to process it but cannot build in a long delay [8]. Ignore a STOP and every message after it becomes its own violation.

For SMS, carrier rules and the CTIA require your system to recognize these opt-out keywords and stop sending: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT [5]. When someone sends one, your platform must:

1. Send a single final confirmation text acknowledging the opt-out. 2. Remove the number from all marketing sends immediately, or within one business day at the outside. 3. Log the opt-out with a timestamp.

You cannot force someone to call a number or fill out a web form to opt out of texts. Adding steps beyond a simple reply keyword is a violation. One more marketing text after a STOP is a separate TCPA violation at $500 to $1,500.

The opt-out confirmation is the one text you may send after a STOP. Keep it short and plain: "You've been unsubscribed from [Brand] alerts. You won't receive any more messages."

Keep your opt-out records for the statute of limitations period at minimum. TCPA claims carry a four-year federal statute of limitations [9]. If someone sues claiming you kept texting after they opted out, your only defense is showing they never sent the keyword, or that your logs prove you processed it correctly.

For the full opt-in and opt-out lifecycle, the sms opt in page walks through both sides of the consent record.

What are the penalties for sending SMS messages without proper opt-in?

The TCPA sets statutory damages at $500 per violation, where each text to each recipient counts as one violation. A court can triple that to $1,500 per violation if the conduct was willful or knowing [1]. There is no cap on the number of violations in a class action. That last fact is what turns a sloppy campaign into a company-ending number.

Run the arithmetic. Send a promotional text to 50,000 numbers without valid consent, and at $500 per text you are staring at $25 million in exposure. Courts have certified TCPA class actions and approved settlements at this scale. Papa John's paid $16.5 million in 2018. Jiffy Lube settled for $47 million. Life Time Fitness paid $15 million [10].

The FCC can also levy forfeiture penalties separate from private suits. State attorneys general can bring actions under state analogues, some with higher per-violation amounts.

Good intent is not a defense. Buying a "compliant" list from a data vendor and texting it without independently verified consent gives you no protection. The TCPA puts the burden of proving consent on the sender.

The FCC's one-to-one consent rules, effective January 2025, went straight at lead generation, where a single opt-in form was used to authorize hundreds of companies [3]. If you buy leads from third-party generators, verify that your brand was named in the consent the consumer actually saw.

For current enforcement news and recent outcomes, bookmark tcpa news today and lead generation compliance news.

Not every text needs the same consent. Marketing texts need prior express written consent, the highest bar. Informational texts (appointment reminders, shipping updates, fraud alerts, 2FA codes) need only prior express consent, which can be oral or implied. A handful of message types are exempt entirely. The line between the categories decides which rule you live under.

Prior express written consent is required for marketing, advertising, or telemarketing texts, meaning any message whose primary purpose is to encourage a purchase [2].

Prior express consent, the lower bar, covers informational messages tied to a transaction: appointment reminders, fraud alerts, shipping notifications, two-factor codes [2]. If someone hands you their number during a transaction, they have generally given prior express consent for informational messages about that transaction.

Here is the trap. A single promotional sentence can upgrade an otherwise informational message to marketing under FCC guidance. A shipping notification with a coupon code baked in is a marketing message and needs written consent.

Some messages are exempt: emergency messages, messages sent by or for a tax-exempt nonprofit, certain healthcare messages (HIPAA adds its own layer), and calls that do not use an ATDS to a non-mobile number. Each exemption has conditions and carve-outs, so do not assume one applies without reading the specific rule.

If you run a restaurant, retail shop, or local service business, the transactional-versus-promotional split shapes your entire program. See sample text message marketing for restaurants for practical examples.

How do you collect SMS opt-ins legally through different channels?

You can collect SMS marketing consent through web forms, keyword text-to-join, paper forms, verbal collection followed by written confirmation, and social lead ads. Each channel is legal if the disclosure language and the record you keep meet the TCPA's written-consent standard. The channel changes the mechanics, not the standard.

Web forms. The common method. A phone field, compliant disclosure language right next to it, an unchecked consent box, a submit button. Retain the form version the person saw (a screenshot or version log), the IP address and timestamp of submission, and the exact language they agreed to.

Keyword opt-in (text to join). You advertise a keyword and short code ("Text DEALS to 55512"). Texting the keyword signals intent to opt in. You reply with a confirmation carrying all required disclosures, and in a double opt-in flow, ask them to confirm. The ad promoting the keyword must itself carry basic disclosure language: frequency, "msg & data rates may apply," and how to get help.

Paper forms. Point-of-sale sign-ups or event forms. Valid if they carry compliant written disclosure language and the person signs or initials. Enter the number into your system, then send an initial confirmation text to document the mobile consent.

Verbal opt-in. You can take a number verbally, but verbal alone does not clear the written-consent bar for marketing texts. Some businesses follow a verbal collection with a written confirmation the person must reply to, which effectively becomes a double opt-in. It is clunky, and most compliance attorneys just point you to a web or paper form.

Social media lead ads. Facebook, Instagram, and similar lead-gen formats can capture numbers with pre-filled consent fields. Read the fine print. The platform's terms and your ad's disclosure language together have to satisfy the written-consent standard. Pre-filled consent boxes a user must uncheck are generally not valid.

For teams using a marketing text message service or text message marketing software, most platforms have opt-in workflow tools built in. The legal responsibility for compliant language still sits with you, not the platform.

Do B2B SMS messages need the same opt-in as B2C?

Yes, if the number is a cell phone. This is one of the grayer corners of TCPA law, and anyone selling you a clean B2B exemption is oversimplifying. The TCPA protects the number, not the person's role.

Text a business contact's personal cell, even about a business matter, and the TCPA applies fully because the number is assigned to a cellular service. Text a business landline that has no texting and different rules apply (the text probably will not land anyway).

Where it gets murky: some courts have found that when a business employee hands over their cell number on a card or in a professional setting, there is implied prior express consent for business communications tied to that context. But implied consent only reaches the informational-message standard, not the written-consent standard for marketing.

So if your B2B outreach has any promotional purpose, you need written consent, same as B2C. Selling to a business does not change the analysis.

Selling internationally or to European businesses adds GDPR consent on top. See b2b lead generation platforms gdpr compliance for how those rules interact.

Real estate teams hit this constantly with agent and broker contacts. Same principle: cell phones need proper consent regardless of whether the recipient is acting professionally. See real estate text message marketing for industry-specific guidance.

In a TCPA lawsuit or FCC inquiry, the burden of proving consent falls entirely on you. "We used a reputable vendor" is not proof. "Our platform says they opted in" is not proof. You need actual records, retrievable on demand.

For each opted-in subscriber, you should be able to produce:

  • The exact form or keyword they used to opt in (a timestamped screenshot of the form version, or a log of the keyword reply)
  • The date, time, and IP address of the submission (for web forms)
  • The specific disclosure language they saw
  • Any confirmation message sent and, for double opt-in, the confirmation reply
  • Any later opt-out request and the timestamp it was processed

The FCC's Reassigned Numbers Database (RNDB) matters here too. A number once assigned to one consumer may now belong to someone who never consented. Texting that reassigned number is a violation even with a valid consent record for the original owner. The FCC's safe harbor protects you from liability on the first text to a reassigned number if you queried the RNDB and it showed no reassignment [4].

How long to keep records? The TCPA's statute of limitations is four years under 28 U.S.C. § 1658 [9], so five years is a reasonable floor. Some attorneys keep records indefinitely for any closed program.

LeadCompliant's free compliance kit includes a consent-record template and a checklist of what each subscriber record should hold, useful if you are building recordkeeping from scratch.

What state laws affect SMS marketing opt-in beyond the TCPA?

The TCPA is a floor, not a ceiling. Several states have layered their own telemarketing and SMS laws on top, and the strictest one that applies to your subscribers is the one you have to design around.

Florida's Telephone Solicitation Act (FTSA), amended in 2021, created a private right of action for autodialed texts and robotexts to Florida consumers without written consent, mirroring TCPA standards with Florida-specific procedure [6]. Florida plaintiffs drove a sharp spike in SMS litigation from 2021 on.

Washington State's Commercial Electronic Mail Act and related consumer protection statutes give the state AG power to pursue deceptive or unwanted text campaigns [7]. Washington enforces aggressively.

Oklahoma, Texas, and several other states run mini-TCPA statutes covering intrastate calls and texts. The TCPA generally preempts conflicting state law for interstate communications, but state laws that are stricter (more protective of consumers) are not preempted.

California's CCPA and CPRA add a privacy layer. Collect a number through a web form and you have data-handling duties around that information whether or not you ever send a text. California consumers can also request deletion of their contact data.

The practical move: make your opt-in form conservative enough to satisfy the strictest state law across your subscriber base, above the federal minimum. If you have any Florida or California subscribers, build to those standards for everyone. It beats maintaining state-by-state variations.

How do you build an SMS opt-in compliance checklist for your program?

Compliance is a system, not a one-time task. A working SMS marketing program has a before-launch checklist, an ongoing routine, and a change protocol. Here is what each looks like.

Before launch:

  • Written consent language reviewed by a TCPA-experienced attorney
  • Form version logged and archived
  • Platform configured to honor STOP, UNSUBSCRIBE, CANCEL, END, QUIT, STOPALL
  • Opt-out confirmation message set up
  • Consent records stored in a retrievable format
  • RNDB scrub process established before the first send

Ongoing:

  • Scrub the list against the FCC's Reassigned Numbers Database before each campaign
  • Check against the Do Not Call Registry if your texts carry calls-to-action that could read as telemarketing (belt-and-suspenders)
  • Log every opt-out immediately. Do not batch-process opt-outs on a weekly schedule
  • Audit consent records quarterly: can you pull proof of consent for a random subscriber inside 60 seconds?
  • Review new leads from third-party generators for proper one-to-one consent under the 2025 FCC rules [3]

When you change the program:

  • New message types or new brands need new consent. Consent to hear from Brand A does not cover Brand B, even under one parent company.
  • If you switch SMS platforms, make sure consent records transfer with the list. A new platform creates no new consent.

LeadCompliant's free TCPA tools include a DNC checker and a consent-audit checklist covering most of these steps, which saves you the build.

Frequently asked questions

Can I text someone who gave me their number on a business card?

Not for marketing, and not without explicit written consent. A business card number can imply prior express consent for informational or transactional messages tied to that business context, but the TCPA requires prior express written consent for marketing texts sent via autodialer. Send a web form or keyword opt-in link first and get a documented agreement before adding them to any promotional campaign.

No. A pre-checked box fails the TCPA's prior express written consent standard because the consumer took no affirmative action to agree. The FCC's 2012 rules require a signature reflecting the consumer's agreement. Regulators treat pre-checked boxes as invalid consent. Always use unchecked boxes a user must actively select before submitting.

How long does it take to process an opt-out after someone texts STOP?

You must honor it as fast as your system allows, and certainly before your next send. The FCC's 2023 consent revocation order says businesses cannot impose unreasonable delays. In practice most SMS platforms process STOP replies within seconds. One additional marketing text after a documented STOP is a separate TCPA violation at $500 to $1,500 per message.

The TCPA sets no hard expiration date, but consent can go stale. If a subscriber has not engaged for one to two years and you have no record of a recent interaction, sending carries real risk: numbers get reassigned, and a dormant subscriber may have forgotten they ever opted in. Most platforms let you run a re-consent campaign before texting long-dormant segments.

The FCC's January 2024 order, effective January 2025, requires that each company sending marketing texts be individually and clearly identified at the point of consent. A single opt-in form authorizing contact from dozens of unnamed partners is no longer valid. If you source leads from third-party generators, confirm your brand name appeared explicitly in the disclosure the consumer saw.

Can I use a purchased SMS list if the vendor says it is TCPA compliant?

No vendor guarantee substitutes for actual documented consent. Vendors misrepresent list quality often, and even once-compliant forms go stale as numbers get reassigned. Text a purchased list and the legal risk sits with you. At minimum you would need the original consent records, the exact form language consumers saw, timestamps, and IP addresses for every number. Few vendors hand that over.

Does double opt-in eliminate TCPA liability?

It cuts risk sharply but does not erase it. A confirmation reply is strong evidence of consent, but you still need the original opt-in language to be compliant, the confirmation text to carry required disclosures, and your opt-out handling to work. Double opt-in is one layer of a system, not a complete shield. Courts weigh the totality of your consent process.

What is the difference between an opt-in for calls and an opt-in for texts?

Under the TCPA, both need prior express written consent for marketing if made via ATDS or prerecorded voice. But consent language should name the channel. A form that says only "I agree to receive phone calls" may not cover texts, and vice versa. Best practice is separate checkboxes for calls and texts, so consent is channel-specific and hard to dispute.

Are there message frequency limits for SMS marketing programs?

The TCPA and FCC set no fixed daily or monthly maximum. But your opt-in disclosure has to describe the frequency you intend, and sending far more than you disclosed can read as deceptive. CTIA guidelines require disclosing expected frequency at opt-in. Carrier filtering also flags high-frequency senders with low engagement, which hurts deliverability regardless of legal compliance.

Tax-exempt non-profits have a limited exemption from some TCPA provisions for calls to residential lines, but the exemption is narrow and does not broadly clear marketing texts to cell phones. For promotional texts sent via autodialer to mobile numbers, non-profits should still get prior express written consent. The safe move is to treat non-profit SMS programs like commercial ones unless you have reviewed the specific exemption with a TCPA attorney.

What happens if a subscriber's number gets reassigned to a new person?

Texting a reassigned number is a TCPA violation, even with a valid consent record for the original subscriber. The FCC's Reassigned Numbers Database (RNDB) lets senders check whether a number has been reassigned since a given date. The FCC offers a safe harbor for one text to a reassigned number if you queried the RNDB and saw no reassignment. Scrubbing against the RNDB before each campaign is the standard protection.

Can I re-enroll subscribers who previously opted out?

Yes, but only if they affirmatively re-opt in through a new consent event. You cannot re-add them because their opt-out "expired" or because they browsed your website. A genuine new opt-in meeting all written-consent requirements is required. Keep the original opt-out record even after re-enrollment so you can document the timeline if challenged.

What should the opt-out confirmation message say?

Keep it factual and brief. Something like: "You've been unsubscribed from [Brand] texts and won't receive further messages." You may add that they can re-subscribe later if they choose. Do not include a promotional offer, a call to action, or any marketing content. That message is the one permitted post-STOP text, and making it promotional could itself be a violation.

Sources

  1. U.S. Congress, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed or prerecorded calls/texts to cellular phones without prior express consent; statutory damages are $500 per violation, tripled to $1,500 for willful violations
  2. FCC, Reassigned Numbers Database: FCC operates RNDB allowing senders to query whether a number has been reassigned; querying provides safe harbor for first text to a reassigned number
  3. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA amended 2021 created private right of action for autodialed or robotexts to Florida consumers without written consent
  4. Washington State Legislature, Commercial Electronic Mail Act, RCW 19.190: Washington state statutes give AG power to pursue deceptive or unwanted electronic communications including text campaigns
  5. U.S. Congress, 28 U.S.C. § 1658, Limitations on Actions: Federal statute of limitations for civil actions is four years, applicable to TCPA private lawsuits
  6. WebRecon LLC, TCPA Litigation Statistics and Settlement Database: Notable TCPA class action settlements include Papa John's $16.5 million (2018), Jiffy Lube $47 million, Life Time Fitness $15 million
  7. U.S. Congress, E-SIGN Act, 15 U.S.C. § 7001: Electronic signatures including typed names and checked boxes satisfy written consent requirements under the E-SIGN Act as applied to TCPA
  8. FTC, Business Guidance on advertising and marketing: FTC guidance confirms pre-checked consent boxes are not valid affirmative consent under federal standards

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit