Last updated 2026-07-11

TL;DR
An opt-in SMS policy is the written agreement that governs how you collect, store, and honor mobile consent for text marketing. Federal law (47 U.S.C. § 227) requires prior express written consent before you send a single promotional text. Your policy must name the program, state message frequency, disclose carrier fees, and give a clear opt-out path. Get it wrong and each text can cost up to $1,500 in statutory damages.
What is an opt-in SMS policy and why does it exist?
An opt-in SMS policy is the public-facing document, usually a short page or a modal on your website, that spells out how you gather consent to send marketing texts, what you'll send, how often, and how people stop the messages. It's the written backbone behind every text you send.
The policy exists because the Telephone Consumer Protection Act (47 U.S.C. § 227) makes it illegal to send marketing texts to a mobile number without prior express written consent [1]. The FCC's 2012 order tightened the rule, moving from an implied-consent standard to a written-consent requirement for all autodialed or prerecorded promotional messages [2]. Without a policy that documents the what, why, and how of your consent process, you have no proof the consent ever existed.
That proof decides cases. In TCPA litigation the burden of showing consent usually lands on the defendant, meaning you. If a plaintiff swears they never agreed to your texts, you need records and a documented policy to fight back. A vague "by signing up you agree to marketing" clause buried in a terms-of-service page rarely holds up [3].
Small teams treat this as legal boilerplate. It isn't. The policy is a system design document in disguise. It forces you to answer real questions: Where do we collect consent? What do we store? Who can opt out, and how fast do we honor it? Answering those in writing before the first text goes out is far cheaper than answering them in a class-action complaint.
What are the federal legal requirements for an SMS opt-in policy?
The core requirement comes from 47 U.S.C. § 227(b)(1)(A), which bars using an automatic telephone dialing system or an artificial or prerecorded voice to call or text a mobile number without the prior express consent of the called party [1]. For marketing messages, the FCC clarified in its 2012 rules (codified at 47 C.F.R. § 64.1200) that consent must be prior express written consent, a higher bar than the general standard that covers informational texts [2].
The FCC defines prior express written consent as a written agreement that clearly authorizes the seller to deliver advertisements or telemarketing messages using an autodialer. The agreement has to include the phone number the consumer is consenting with, and the consumer can't be required to consent as a condition of any purchase [2].
In plain terms, your opt-in policy and your consent flow must:
- Clearly identify who is sending the messages (your company name)
- Describe the type of messages (promotions, alerts, updates, etc.)
- State the approximate message frequency ("up to 4 messages per month")
- Include the statement: "Message and data rates may apply"
- Provide opt-out instructions ("Reply STOP to cancel")
- Provide help instructions ("Reply HELP for help")
- State that consent is not a condition of purchase [2][4]
The CTIA, the trade association for the wireless industry, publishes messaging principles that major carriers enforce as a condition of sending traffic through their networks [4]. Carriers block messages from senders who skip these disclosures. So even if you were willing to roll the dice on TCPA, carrier-level enforcement still catches you.
One number surprises people. The FCC's 2012 order killed the established business relationship exemption for marketing texts entirely. A relationship you've built with a customer over years does not let you text them promotional content without explicit written consent [2].
What exactly must your opt-in SMS policy say?
Here's the specific language and elements every compliant policy needs. Treat it as a checklist you walk through before legal review.
Program name and sender identity. Name the specific texting program and the brand sending the messages. "LeadCo Promotional Alerts" beats plain "LeadCo" because it scopes the consent.
Description of message types. You can't collect consent for "promotions" and then send transactional fraud alerts, or the reverse. Spell out the categories: sales offers, new product announcements, event reminders.
Message frequency disclosure. Use a real estimate. "Message frequency varies" is weak on its own, and some state AG offices have flagged it as insufficient. "Approximately 4 messages per month" is better. "Up to 8 messages per month" works too. Pick a number you'll actually stay near.
"Message and data rates may apply." This exact phrase, or a close variant, is required by CTIA guidelines and expected by carriers [4]. It's short. Put it in.
Opt-out instructions. The standard is "Reply STOP to unsubscribe." Your platform has to honor STOP replies immediately and permanently, more than drop them in a queue. More on opt-out mechanics below.
HELP keyword. "Reply HELP for help" or "for assistance, text HELP or visit [URL]" covers the requirement. Your HELP response should include your business name and a support contact.
Consent-not-required-for-purchase statement. Verbatim or close: "Consent is not a condition of any purchase." This line is required by 47 C.F.R. § 64.1200 [2].
Privacy policy link. State privacy laws (California's CCPA, Colorado's CPA, Texas's TDPSA) require you to link to your full privacy policy wherever you collect personal data, phone numbers included [5]. Your SMS opt-in form should carry this link, and your SMS policy should reference it.
Record retention statement. Optional in the policy itself, but smart to include. State that you keep consent records for at least four years, matching the TCPA's four-year statute of limitations under 28 U.S.C. § 1658 [12].
The disclosure block at the point of opt-in, the thing the user actually reads, should run about 50 to 100 words. Your full SMS policy page can go longer and explain the program in depth, but every required element above needs to appear somewhere the consumer sees before hitting submit.
What is the difference between single opt-in and double opt-in for SMS?
Single opt-in means the subscriber submits their phone number (web form, in-store sign-up, keyword text) and you start sending. Double opt-in adds a confirmation step: the subscriber gets an initial text asking them to confirm by replying YES or a similar keyword, and you don't add them to your list until they confirm [6].
Federal law does not require double opt-in. TCPA requires prior express written consent, and a well-documented single opt-in can meet that bar. But double opt-in carries real advantages that most experienced compliance people say are worth it.
It produces a cleaner consent record. You have proof the person who got the confirmation text also controlled that phone at that moment. It filters out typos and fake numbers, which cuts deliverability problems and complaint rates. And it makes list scrubbing easier because every number on your list has confirmed.
The carrier ecosystem keeps pushing consent standards higher. Carriers that route A2P (application-to-person) 10DLC traffic watch complaint rates, and double opt-in lists run lower. A lower complaint rate means less risk of your sending number getting flagged or throttled.
For a fuller treatment of the mechanics, see our piece on sms double opt in.
Who should use double opt-in? Anyone sending promotional messages, especially if the list source is a purchased lead, a third-party form, or any situation where you didn't watch the consumer type their own number. If you run a retail store and someone handed you their number in person, single opt-in with good documentation may be fine. If you're buying leads off a publisher network, double opt-in is not optional when you want to defend yourself.
How do you collect opt-in consent properly?
Consent collection is where most small teams slip. The channel matters, because each method carries its own documentation requirements.
Web form opt-in. The most common method. The form needs a phone number field, a checkbox for SMS consent (unchecked by default, never pre-checked), and the full required disclosure text inline or right next to the checkbox. The checkbox can't be bundled with acceptance of your terms of service. It has to be a standalone SMS consent action. Store the timestamp, IP address, page URL, and form version with each consent record [3].
Keyword opt-in. The consumer texts a keyword (JOIN, YES, DEALS) to your short code or long code. Your system responds immediately with a confirmation that carries all required disclosures: program name, message frequency, "message and data rates may apply," and opt-out instructions. Store the inbound text timestamp and number.
Paper or in-store form. Someone writes their number and checks a box at your counter. Digitize the record fast and keep the physical form or a legible scan. This is harder to defend in litigation because paper records are easier to dispute.
Verbal consent over the phone. This does not meet the written consent standard for marketing texts under 47 C.F.R. § 64.1200 [2]. You can't call someone, get them to say "sure, text me deals," and treat that as compliant written consent for future promotional texts. Full stop.
Third-party lead forms. If you buy leads from a publisher and those leads supposedly consented to hear from "partners" or "affiliated companies," that consent is fragile. The FCC's one-to-one consent rule, adopted in 2023, requires consumers to consent specifically to the identified seller, not to a generic category of partners [7]. Read your lead vendors' consent language closely. If it doesn't name your company, don't text those numbers without re-obtaining consent.
For a closer look at building the actual form, see sms opt-in form.
What are the opt-out rules and how fast must you honor them?
The opt-out side of your policy is not optional, and the timelines are tight. CTIA guidelines require STOP requests be honored within 24 hours at most, and the practical carrier standard is immediate suppression [4]. The FCC's rules under 47 C.F.R. § 64.1200 require you to honor requests to stop further calls or messages, and courts have held that texting after an opt-out is a separate TCPA violation, each message stacking damages.
Your policy and your operational process must handle these opt-out keywords at minimum: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT. CTIA lists all of them as required universal opt-out keywords [4]. Your platform should suppress every one, more than STOP.
After a subscriber opts out, the only message you may send is a single confirmation acknowledging the opt-out. Something like: "You've been unsubscribed from [Program Name]. No further messages will be sent. Text JOIN to resubscribe." That's it. No "are you sure?" follow-up. No "we'll miss you" promotional message.
Store opt-outs in your suppression list indefinitely, or at least for as long as you might ever contact that number again. Acquire a new list six months later and that number shows up? Your suppression list has to catch it before you send.
One scenario people miss: if a contact calls your phone number or emails and says "stop texting me," that's a revocation of consent even though it didn't come through SMS. The FCC has confirmed consumers can revoke consent through any reasonable means [2]. Your policy should acknowledge this, and your team needs a process to add phone-in and email-in revocations to the suppression list the same day.
What TCPA penalties can you face for SMS policy violations?
Statutory damages under TCPA are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations [1]. Each text is a separate violation. Send a promotional blast to 10,000 people without proper consent and your exposure is $5 million at the base rate, or $15 million if a court finds the violations willful.
TCPA is one of the few federal statutes with a private right of action. Any individual who got your text can sue without proving actual damages. That's why class actions pile up. A single plaintiff who received 5 texts without consent becomes the representative for thousands who got the same messages.
Real case data: in 2021, Papa John's settled a TCPA class action for $16.5 million over text messages sent to numbers on the Do Not Call registry and without adequate consent [8]. In 2019, Domino's settled a related matter for $9.6 million. These are big companies with legal departments. Small teams get hit too, often harder per head, because a settlement smaller in absolute dollars still wipes them out.
The four-year statute of limitations under 28 U.S.C. § 1658 lets plaintiffs sue over texts sent up to four years back [12]. That's why record retention matters. No consent records from four years ago means no defense for texts sent four years ago.
State laws add a layer. California's CCPA, Illinois's Biometric Information Privacy Act, and Florida's FTSA (Florida Telephone Solicitation Act) each carry their own teeth. Florida's FTSA creates a $500-per-call private right of action for calls or texts made with an autodialer without consent, with no willfulness requirement for the first tier [9]. Texas and Oklahoma have similar statutes.
| Violation type | TCPA statutory damage | Willful multiplier |
|---|---|---|
| Single text without consent | $500 | Up to $1,500 |
| 1,000-person blast | $500,000 base | Up to $1.5M |
| 10,000-person blast | $5M base | Up to $15M |
| Post-opt-out text | $500 per message | Up to $1,500 per message |
For more on how TCPA enforcement plays out, see tcpa sms compliance.
How does your SMS opt-in policy interact with state privacy laws?
Federal TCPA sets the floor. States can go higher, and several have.
California's Consumer Privacy Act (CCPA), as amended by CPRA, requires businesses that collect personal information, phone numbers included, from California residents to disclose the categories of information collected, the purposes of collection, and to provide a right to opt out of the sale or sharing of that information [5]. If your SMS opt-in form collects a California resident's phone number, your policy needs to incorporate or link to a CCPA-compliant privacy notice.
Florida's FTSA (Fla. Stat. § 501.059), as amended in 2021, created a private right of action for unsolicited sales calls or texts made with an autodialer. Florida's law reaches both autodialed and manually dialed texts if they're part of a sales campaign, which is broader than TCPA in some readings [9]. Florida residents have become a disproportionate source of TCPA-adjacent claims because of it.
Texas's Business & Commerce Code § 302.101 requires prior written consent before sending a commercial electronic text message to a mobile device. The Texas AG can bring enforcement actions, and there is a private right of action [10].
Colorado's Privacy Act adds disclosure requirements for digital marketing communications. New York has proposed SMS marketing legislation that would require affirmative opt-in consent and specific disclosures.
The practical move: draft your SMS opt-in policy to satisfy the strictest state standard you're likely to face, which right now is a mix of California (CCPA disclosure obligations) and Florida (private right of action on autodialed texts). Satisfy those and you're in reasonable shape nationally. Operate internationally and GDPR raises the bar again: you need a lawful basis for processing, and for marketing texts that generally means freely given, specific, informed consent [11].
For teams sending B2B texts internationally, see b2b lead generation platforms gdpr compliance.
What records do you need to keep and for how long?
Record keeping is dull. It's also the thing that decides whether you win or lose a lawsuit.
For each opt-in consent record, store: the phone number, the date and time of consent (with timezone), the method of consent (web form, keyword, paper form), the URL or identifier of the specific form or page where consent was collected, the IP address for web-based opt-ins, the version of your disclosure language active at that time, and any confirmation message sent.
For opt-outs, store: the phone number, the date and time of the request, the channel (STOP reply, phone call, email), and confirmation of suppression.
How long? The TCPA statute of limitations is four years under 28 U.S.C. § 1658, so four years is the legal minimum [12]. Practically, keep consent records as long as you keep any record of interacting with that number, plus four years. Some compliance attorneys recommend keeping suppression lists forever, because once someone opts out you should never contact them again anyway.
Store records in a format that's exportable and date-stamped. A spreadsheet you update by hand beats nothing, but it's vulnerable to tampering claims. A CRM or SMS platform with audit logs is far more defensible. If litigation comes and you have to produce records, you want a system-generated log, not a file someone could have edited last week.
LeadCompliant's free compliance kit includes a consent record template and a suppression list format you can adapt, which helps if you're setting up your process from scratch.
For platforms that handle record-keeping automatically, see text message marketing software.
How do you write an SMS opt-in policy for different business types?
The required legal elements don't shift between industries. The framing and message categories do.
Retail and e-commerce. Name the specific program: "Join the [Brand] VIP Text Club." Message types: promotional offers, sale announcements, new arrivals. Frequency: many retail programs send 4 to 8 per month, so say that. This is a high-volume use case where consent documentation really matters, because list size multiplies risk.
Real estate. Real estate texting gets messy because agents want to send property alerts, price drops, showing reminders, and cold prospecting all at once. The consent you collect for property alerts (often transactional) is not the consent required for unsolicited prospecting. Texting cold leads means express written consent, period. See real estate text message marketing for how this plays out.
Restaurants. Common cases: reservation reminders (usually transactional, lower consent threshold), loyalty rewards (promotional, written consent required), limited-time offers (promotional). The restaurant context fits keyword opt-in well: "Text PIZZA to 55555 to join our deal alerts." See sample text message marketing for restaurants for language examples.
B2B sales. Here's where people get confused. B2B texts to mobile numbers are still governed by TCPA if you use an autodialer. The residential-versus-business distinction matters some: TCPA's Do Not Call provisions have a business-to-business exemption, but the autodialer restriction on mobile numbers applies regardless. Text a prospect's cell phone and you need consent [1]. Your B2B opt-in policy should be clear about the program: "Sales outreach and updates from [Company]." Many B2B teams treat explicit consent captured through inbound demo requests or contact forms as covering later follow-up texts. That's defensible if the form language actually covered text communication.
Lead generation companies. If you're a publisher or lead gen platform passing leads to other companies, your opt-in policy must, under the FCC's one-to-one consent rule, name each downstream buyer specifically or refresh consent at each buyer's point of contact [7]. Blanket "partner" language no longer meets the standard for marketing texts.
What common SMS opt-in policy mistakes cost businesses the most?
Watch TCPA litigation patterns long enough and the same mistakes surface again and again.
Pre-checked consent boxes. A checkbox already checked when the form loads is not valid consent under any reading of the TCPA's written consent requirement. Courts have rejected it repeatedly. The user has to take an affirmative action [3].
Bundled consent with terms of service. If your terms say "by creating an account you agree to receive marketing texts," that isn't the standalone, clear authorization the FCC requires. It's buried, and courts know it [2]. SMS consent needs its own discrete action.
Rotating disclosure language without version tracking. Update your disclosure but fail to track which version was live when each subscriber opted in, and you can't defend what that subscriber agreed to. Version your consent forms.
Not honoring STOP variants. A platform that catches "STOP" but not "UNSUBSCRIBE" or "CANCEL" leaves you exposed. Test with every CTIA-required keyword before launch.
Texting after list purchase without re-verification. Buying a list and texting it because the seller claims the numbers are "opted in" is one of the riskiest moves a small team can make. That supposed consent is almost never TCPA-compliant for your company specifically, especially after the FCC's one-to-one consent rule [7].
Missing frequency disclosure. "Message frequency varies" alone isn't best practice under CTIA guidelines, and some state regulators frown on it. Give an actual estimate.
Treating transactional consent as promotional consent. Someone gave you their number for order confirmations. That does not let you send discount offers. Consent is scoped to what the consumer agreed to.
For a broader look at compliance processes and tools, LeadCompliant offers free TCPA checkers and a one-time compliance kit that walks through consent flow design and policy templates. A useful starting point if you're building from scratch.
How do you update or change your SMS opt-in policy?
Policies change. You add message categories, adjust sending frequency, or switch platforms. How you handle the change matters legally.
For minor changes, like updating a support email or rewording a sentence without changing what subscribers consented to, a policy update with a new effective date is generally enough. Post the updated policy, archive the old version, and send a notice text if the change is material.
For material changes, meaning you're adding message categories, raising frequency a lot, or changing the nature of the program, re-obtain consent from existing subscribers. Send a text describing the change and ask people to reply YES to keep receiving messages under the new terms. Anyone who doesn't reply gets suppressed from the new program. This is conservative, and some operators skip it. But when the new messages differ meaningfully from what subscribers originally agreed to, the original consent doesn't automatically stretch to cover them [2].
A material-change notice might read: "[Brand] is updating our text program to include weekly flash sale alerts starting [date]. To keep receiving messages, reply YES. Message and data rates may apply. Reply STOP to cancel."
Whenever you update, record the change: what changed, when, and why. That documentation matters if someone later claims the messages they got fell outside what they consented to.
For teams managing ongoing compliance across a growing program, marketing text message service covers what to look for in a platform that makes policy compliance easier to hold together.
Frequently asked questions
Do I need a separate SMS opt-in policy page or can I put it in my terms of service?
You can technically fold SMS terms into your main terms of service, but it's a bad idea in practice. Courts and regulators look for clear, standalone consent. Bury your SMS disclosures in a long TOS document and a plaintiff's attorney argues the subscriber never meaningfully saw them. A dedicated SMS policy page, linked from your opt-in form, is far more defensible and takes about an hour to set up.
Can I text someone who gave me their number on a business card?
No, not for marketing without additional consent. A business card exchange is not written consent under TCPA. You can call them (subject to DNC rules), but texting promotional content with an autodialer requires prior express written consent. If you text them by hand from a personal phone as a natural conversation, that's a different analysis, but most sales texts run through platforms that qualify as autodialers.
What does "prior express written consent" actually mean under TCPA?
The FCC defines it at 47 C.F.R. § 64.1200(f)(9) as a written agreement that clearly authorizes the seller to send autodialed marketing messages, signed (electronically or physically) by the consumer, that includes the phone number and a statement that consent is not required for any purchase. An electronic signature via a web form checkbox satisfies the written requirement.
How long do I have to honor an opt-out request?
CTIA guidelines say opt-outs must be honored within 24 hours, but the practical and safest standard is immediate. Your platform should process STOP replies in real time and suppress the number from any pending sends. Sending even one more message after a STOP reply is a separate TCPA violation worth up to $1,500 in statutory damages.
Is an SMS opt-in policy required for transactional texts like order confirmations?
The written consent requirement applies to marketing texts. Purely transactional texts, like order confirmations, shipping notifications, or appointment reminders, generally require prior express consent (a lower bar) rather than prior express written consent. You still need some form of consent, and your policy should clearly distinguish which program covers transactional messages versus promotional ones.
What is the FCC's one-to-one consent rule and how does it affect my policy?
The FCC's one-to-one consent rule, adopted in 2023, requires that SMS marketing consent be obtained specifically for the seller sending the messages, not for a broad category of "marketing partners." If you buy leads from a publisher, those leads must have consented to hear from your company by name. Generic partner consent no longer works. Update your lead vendor contracts and consider re-consent campaigns for purchased lists.
Can I remarket to someone who opted out if they become a customer later?
No. An opt-out is an opt-out. Even if the person later buys from you, that transaction does not reinstate consent to receive marketing texts. The only way to re-add an opted-out number to your active list is if they affirmatively opt back in through a new, documented consent action. Suppress opted-out numbers indefinitely.
What should the opt-in confirmation text say?
Your confirmation should include the program name, a brief description of what they signed up for, message frequency, "Message and data rates may apply," opt-out instructions (Reply STOP), and a HELP contact. Example: "[Brand] Alerts: You're in! Up to 4 msgs/mo with deals and updates. Msg & data rates may apply. Reply STOP to cancel, HELP for help."
Does TCPA apply to texts sent from a 10-digit long code (10DLC) number?
Yes. TCPA applies based on whether the sending system qualifies as an automatic telephone dialing system, not on the number type. Most modern SMS platforms, whether short code, 10DLC, or toll-free, can qualify as autodialers. The FCC's definition has shifted through court cases, but the safe assumption is that your platform is covered. Obtain and document consent regardless of number type.
How do I handle consent when I acquire another company and inherit their subscriber list?
Inherited lists are high-risk. The consent in the original company's records was given to that company, not yours. Unless the original consent language named successor companies or was broad enough to cover the acquiring entity, run a re-consent campaign before sending marketing texts to that list. It's conservative, and it's the right call. Many TCPA class actions come out of exactly this scenario.
What records do I need to prove consent if I'm sued?
At minimum: the phone number, the timestamp of consent with timezone, the consent method (web form, keyword), the URL and version of the form or disclosure shown at that time, and the IP address for web opt-ins. For keyword opt-ins, store the inbound text log. Keep these records for at least four years, matching the TCPA statute of limitations under 28 U.S.C. § 1658.
Does my SMS policy need to be different for residents of California or Florida?
It needs to address state-specific rights, yes. For California residents, your policy should reference their CCPA rights, including the right to know what data you collect and the right to opt out of sale or sharing. For Florida residents, note that Florida's FTSA creates a private right of action for autodialed texts without consent, at $500 per text. Your consent language and opt-out process should be strong enough to satisfy both standards.
Can I use a single opt-in policy for email and SMS marketing together?
You can have a single policy document covering both, but consent must be collected separately. One checkbox reading "I agree to receive email and SMS marketing" is not best practice and is arguably insufficient for SMS under TCPA, because the written consent requirement is specific to the text channel. Use separate checkboxes and make the SMS consent standalone and explicit.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits using an automatic telephone dialing system to text a mobile number without prior express consent; statutory damages are $500-$1,500 per violation
- FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the TCPA: Prior express written consent required for marketing texts; defines required elements including that consent not be a condition of purchase; removed established business relationship exemption for marketing texts in 2012
- FTC, Business Guidance on Privacy and Security: Bundled or pre-checked consent is insufficient; consent must be a clear affirmative action
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA requires businesses collecting personal data including phone numbers from California residents to disclose collection categories, purposes, and provide opt-out rights
- U.S. District Court, Papa John's TCPA Settlement (Legg v. PTT, LLC): Papa John's settled a TCPA class action for $16.5 million over text messages sent without adequate consent
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's FTSA creates a $500 per call/text private right of action for unsolicited autodialed sales texts to Florida residents
- Texas Legislature, Business & Commerce Code § 302.101: Texas law requires prior written consent before sending commercial electronic text messages to mobile devices; private right of action applies
- European Data Protection Board: GDPR requires freely given, specific, informed, and unambiguous consent as a lawful basis for processing personal data for marketing communications including SMS
- U.S. Code, 28 U.S.C. § 1658, Statute of Limitations: Four-year statute of limitations applies to TCPA claims, establishing minimum record retention period for consent documentation