SMS apps and TCPA compliance providers: how to choose one that won't get you sued

TCPA violations cost $500-$1,500 per text. Here's how to evaluate SMS apps for compliance features and which providers actually help you stay legal.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Person reviewing SMS compliance documents at a wooden desk with a smartphone nearby
Person reviewing SMS compliance documents at a wooden desk with a smartphone nearby

TL;DR

TCPA requires prior express written consent before any marketing text, and violations run $500 to $1,500 per message. SMS apps vary wildly in how much they help you stay compliant. Some scrub DNC lists, enforce opt-in capture, and store consent records. Others leave all of that to you. This guide covers what to look for and how real providers stack up.

What does TCPA compliance actually require for SMS?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, bans marketing texts sent with an automatic telephone dialing system (ATDS) or prerecorded voice to anyone who hasn't given prior express written consent. [1] That phrase 'prior express written consent' does a lot of work. You need a signed agreement (electronic signatures count) where the person clearly agrees to get marketing texts from your specific company, and the agreement has to disclose that consent is not a condition of purchase.

The FCC's 2012 rules tightened this. Before 2012, implied consent was sometimes enough for certain calls and texts. After the October 16, 2013 effective date of those rules, marketing SMS without prior express written consent became a per-message violation. [2]

Here are the numbers. One violation is a minimum $500 statutory penalty per text. It rises to $1,500 if the violation is willful or knowing. [1] Class actions are the real threat. A campaign that texts 50,000 people without valid consent creates up to $75 million in statutory exposure before a plaintiff's attorney even mentions actual damages.

The law does leave a few things alone. Transactional texts (order confirmations, appointment reminders, fraud alerts) have a lower consent bar. [2] Texts to people who gave you their number for a specific non-marketing purpose may be okay for that purpose. But the moment a message includes any promotional content, you need the full written consent. Most failures happen the same way: someone slips a promo line into a transactional message and assumes the transactional consent covers it. It doesn't.

See our full breakdown of tcpa sms compliance for the statute-by-statute details.

What compliance features should you look for in an SMS app?

SMS platforms are not built the same way legally. Some are carrier-grade infrastructure with TCPA tooling bolted on. Others are simple broadcast tools that leave every compliance decision to you. Here's the short list of features that actually matter.

Consent capture and storage. The app should collect opt-ins on a form, record the timestamp and IP address, store the consent record indefinitely, and export it if you get sued. If a platform can't show you a per-contact consent audit trail, you're keeping that paper yourself, and most small teams don't. [3]

DNC and TCPA scrubbing. The platform should check phone numbers against the National Do Not Call Registry before sending. Some apps (Twilio, EZTexting, SimpleTexting) offer built-in or partner-integrated scrubbing. Many don't. If yours doesn't, you need a separate data hygiene vendor. [4]

Opt-out handling (STOP keywords). Every marketing SMS must include opt-out instructions, and carriers require that STOP (plus common variants like UNSUBSCRIBE, CANCEL, END, QUIT) suppress the contact immediately. [5] The FCC's regulations back this at the federal level. Any platform that processes STOP but still lets you override and re-send to that contact is a liability.

Quiet hours enforcement. The TCPA restricts calls (and most compliance lawyers extend this to texts) to 8 a.m. to 9 p.m. in the recipient's local time zone. [1] Some platforms enforce this by time zone automatically. Others let you schedule any time and assume you know what you're doing.

10DLC registration support. Since 2021, major U.S. carriers require SMS traffic from 10-digit long codes to clear the Campaign Registry (TCR) process before bulk delivery is allowed. [5] A compliant SMS app either handles 10DLC registration for you, walks you through it, or tells you upfront that you have to complete it. A platform that never mentions 10DLC is a red flag.

SHAFT content filtering. Carriers flag and can block campaigns involving sex, hate, alcohol, firearms, and tobacco (SHAFT). Some platforms have built-in content review or at least warn you. Others just send and let you find the filtering problem after the fact.

For a closer look at what the opt-in capture itself needs to say, see our guide on sms opt-in requirements.

How do the major SMS compliance providers compare?

Here's an honest comparison of the platforms small outbound teams actually consider. Prices and feature sets change, so confirm current details with each vendor.

Provider10DLC supportDNC scrubbingConsent audit trailQuiet hours enforcementApprox. starting price
TwilioYes (self-serve)No built-in (API partners)Via API loggingManual / developer-setPay-per-message (~$0.0079/SMS)
EZTextingYes (managed)Yes (integrated)YesYes (auto time zone)~$25/month (low volume)
SimpleTextingYes (managed)Yes (TCPA scrub add-on)YesYes~$29/month
PodiumYesLimitedYesPartial~$399/month
AttentiveYes (managed)YesYesYesCustom (enterprise)
SlickTextYes (managed)No built-inYesYes~$29/month
Klaviyo (SMS)YesNo built-inYesYesVolume-based

A few honest notes. Twilio is infrastructure, not a finished compliance product. It hands you the tools to build a compliant system, but your engineering team has to build it. No engineering team, no easy path with Twilio. [6] EZTexting and SimpleTexting are the platforms I see most often at small outbound shops, because the compliance features come out of the box and the account managers actually know what 10DLC means.

Attentive is strong but built for e-commerce with large lists. Podium is mostly a reputation and messaging tool for local businesses. Its TCPA tooling is decent, but that's not the reason people buy it.

For anyone asking specifically about Twilio's setup, we have a dedicated walkthrough: Twilio TCPA compliance: what you actually need to do.

Key TCPA SMS compliance numbers Thresholds and penalties every SMS sender needs to know 500 Minimum penalty per illegal text 1,500 Willful violation penalty p… text 4 TCPA statute of limitations (years) 13 Carrier quiet-hours window… Source: 47 U.S.C. § 227; FCC 2023 One-to-One Consent Order; Campaign Registry

Does the SMS platform bear any TCPA liability, or is that all on you?

This is one of the most misunderstood questions in the space. Short answer: mostly you.

The FCC's 2023 One-to-One Consent order (effective January 27, 2025) made clear that the seller or caller initiating the message carries the TCPA liability. [7] Platforms are generally shielded as common carriers or technology providers, not the initiating party. So when a class action names defendants, it names the company that sent the texts, not the software vendor.

There are narrow exceptions. If a platform knows a client is using it to send illegal texts and actively helps, courts have found liability can extend. In practice, class actions against SMS vendors on that theory are rare. The lawsuits go after the brand.

What this means for you: a platform's compliance features protect you, not the vendor. When a vendor says 'we're TCPA compliant,' they usually mean their system is set up to help you comply. Read the terms of service closely. Most make you represent and warrant that you have proper consent for every number you upload. That warranty shifts the legal risk right back to you if you're wrong.

Some platforms now require consent certification at the account or campaign level. That's more than good practice. It's the vendor protecting itself by creating a record that you certified compliance.

What is 10DLC registration and why does it matter for compliance?

10DLC stands for 10-digit long code. Before 2021, businesses sending bulk SMS from standard local numbers were operating in a carrier gray zone. Carriers started filtering these messages hard because spammers used the same number format. The Campaign Registry (TCR) system was the industry's answer: a clearinghouse where businesses register their brand and each messaging campaign before sending at volume. [5]

Registration means disclosing your company (you need an EIN), the campaign use case, the opt-in process you use, and sample messages. Carriers vet the information and assign a throughput level. An unregistered 10DLC campaign today gets filtered or blocked by AT&T, Verizon, and T-Mobile before it reaches most recipients.

10DLC registration is not a substitute for consent. It does not make an illegal campaign legal. But it matters for compliance in two indirect ways. First, the process forces you to document your opt-in method, which is exactly what you'd need in a TCPA defense. Second, carriers filter unregistered traffic, so a chunk of your messages may never arrive, which confuses recipients about who is texting them and why.

Most managed SMS platforms (EZTexting, SimpleTexting, SlickText) handle 10DLC registration during onboarding. If your platform doesn't, you register directly through TCR or a TCR-connected partner. Fees are typically a one-time brand registration fee (around $4) and a recurring campaign fee (around $10 per month per campaign), though these rates have changed and you should confirm current TCR pricing directly. [5]

Short codes (5- or 6-digit numbers) have their own carrier vetting and higher throughput, but they cost a lot more ($500 to $1,000 per month typically) and take 8 to 12 weeks to provision. Toll-free numbers used for SMS also go through a carrier verification process.

Consent records are your primary defense in a TCPA lawsuit. If you can't produce a consent record for a specific number, a plaintiff's attorney treats that as an admission of no consent. Courts generally agree.

A valid prior express written consent record has to capture the exact language the consumer saw when they agreed (the disclosure), the date and time of the opt-in, the phone number entered, the source (which web form, which keyword, which paper form), and ideally the IP address for digital opt-ins. [3] That's not optional detail. That's what you need to survive a motion for summary judgment.

The FCC's 2023 one-to-one consent rule, effective January 2025, added another wrinkle. Lead generators and comparison shopping sites can no longer use a single blanket consent to authorize texts from multiple sellers. Each seller needs its own consent, clearly named on the form. [7] If you bought leads from a third party, verify that the consent form named you specifically.

For small teams, the practical setup is simple. Use an SMS platform that stores consent records natively and can export them per contact. Pair it with a landing page or opt-in form that captures the fields above. Never import a phone list unless you can match each number to a specific consent record.

Our guides on sms opt-in form and sms double opt-in cover the exact language and mechanics.

What are the biggest TCPA lawsuit patterns hitting SMS senders right now?

Nobody has clean data on what share of TCPA suits involve SMS versus voice calls, but the direction is obvious. SMS litigation has grown a lot since 2018 as texting became the dominant outbound marketing channel. WebRecon's TCPA complaint tracking shows filings in the thousands annually, with a meaningful and growing text component. [8]

The common fact patterns in SMS TCPA class actions:

Purchased or rented lists. A company buys a lead list, texts everyone on it, and many recipients never gave that company any consent. This is the most common fact pattern by far. The 2023 FCC one-to-one consent rule targets exactly this. A blanket 'consent' on a comparison site claiming to authorize 50 companies to text you is no longer valid consent after January 2025. [7]

Opt-out failures. A consumer replies STOP, the platform processes it, and then a separate list import re-adds the number. That's a willful violation triggering the $1,500 per message penalty, and it happens more than people admit because many teams run multiple lists with no unified suppression file.

Wrong number texting. The original subscriber gave up the number and the new subscriber never consented. Reassigned numbers are an ongoing exposure. The FCC's Reassigned Numbers Database exists to help, but plenty of teams don't use it. [4]

Mixed transactional and promotional messages. A company sends what it thinks is a service update but tacks on a promotional offer. Courts look at the primary purpose of the message. Even a small promo element can flip a transactional message into a marketing message that needs written consent.

One case for context: in Van Patten v. Vertical Fitness Group (9th Cir. 2017), the court held that a single unsolicited marketing text established Article III standing. Plaintiffs don't need to prove actual harm to sue under TCPA. That ruling opened the door to class actions over even one unsolicited text per class member. [9]

Keep up with tcpa news today for litigation developments that change how you should operate.

Are free or low-cost SMS apps actually safe for compliance purposes?

Genuinely free SMS apps (not freemium trials) are almost always built for person-to-person or very small-volume messaging. They aren't designed for bulk outbound marketing, they have no 10DLC registration pathway, and they usually lack consent audit trails or DNC scrubbing.

Using a tool like Google Messages or a consumer-grade app to blast marketing texts is both a carrier terms violation and a TCPA risk, because these tools generally can't handle the opt-out mechanics federal law requires.

Freemium plans on real SMS marketing platforms are a different animal. EZTexting, SimpleTexting, and SlickText all have paid plans starting around $25 to $29 a month that include the compliance infrastructure above. None of them ship a free version with 10DLC registration, because carrier registration itself carries fees.

LeadCompliant offers a free TCPA compliance checklist and some free checking tools if you want to audit your current setup before committing to a platform. That pre-vendor audit is genuinely useful, because you'll find out whether your existing consent capture is legally sufficient before you send your first campaign.

The honest position: compliance infrastructure costs money. $29 a month for proper consent tools against a $1,500 per-text exposure is not a close call. The risk-adjusted cost of the free option is much higher.

How do state SMS marketing laws stack on top of TCPA?

TCPA sets the federal floor. Several states go further, and some have their own private rights of action separate from TCPA.

California's Invasion of Privacy Act and related statutes interact with SMS marketing in ways that sometimes make California opt-out requirements stricter than federal rules. Florida's Telephone Solicitation Act (amended in 2021) restricts automated or prerecorded calls and texts to Florida consumers and has produced a wave of litigation. [10] Washington State and Texas have their own telemarketing statutes with civil penalties.

The practical takeaway for outbound teams: if you text people in Florida, California, or Washington, learn the state-specific rules beyond TCPA. Florida's law has provisions that are arguably stricter than TCPA on automated texts to Florida numbers. Class actions under Florida's statute have hit companies that thought they had TCPA-compliant programs.

A good compliance SMS platform won't fully protect you from state law violations, because that analysis depends on knowing where your recipients are and what those states require. That's a legal question, not a platform feature. But a platform that gives you granular opt-in records, timestamps, and message logs at least hands your lawyer something to work with.

Industry rules can layer further. In real estate, NAR guidelines and state licensing rules add another layer. See real estate text message marketing for that context.

This article is general information, not legal advice. For your situation, talk to a TCPA-focused attorney.

What questions should you ask an SMS vendor before signing up?

Most SMS sales calls focus on features, price per message, and deliverability. Compliance questions get vague answers or confident-sounding ones that fall apart under scrutiny. Here's what to actually ask.

'Do you handle 10DLC registration, or do I do that myself?' The answer tells you whether they have a managed process or hand you off to TCR.

'Where are consent records stored, and can I export them per contact?' A compliant platform gives you a clear yes and a description of the audit trail. 'We log all opt-ins' is not specific enough.

'What happens when someone replies STOP?' They should describe an immediate, automated suppression across all your lists, more than the one campaign list.

'Do you scrub against the National DNC Registry?' If yes, ask how often the scrub runs and whether it's automatic or manual.

'Does your platform enforce time zone quiet hours?' And does it enforce based on the recipient's area code or location, or just your account settings?

'What does your terms of service say about my liability for consent?' Read the actual TOS. Understand what you're certifying when you use the platform.

'Are you a CSP (Campaign Service Provider) registered with the Campaign Registry?' Registered CSPs have a direct TCR relationship that usually smooths 10DLC registration. Unregistered resellers add friction and sometimes risk.

A vendor who can't answer these clearly is telling you something. Compliance is not a core part of their product.

For teams building the full opt-in flow, opt-in sms marketing walks through the complete consent mechanics.

What does a minimum viable SMS compliance setup actually look like?

For a small outbound team sending marketing texts, here's the least you need to operate without creating obvious TCPA liability.

First, a compliant opt-in form or keyword flow that captures the disclosure language the FCC requires. [2] The disclosure names your company, says consent is not required to buy, states your message frequency, and links to your privacy policy and terms. [3] See sms opt-in form: what it must say and how to build one for the exact copy.

Second, an SMS platform with managed 10DLC registration, automatic STOP processing, and a consent audit trail. For most small teams, EZTexting or SimpleTexting at their base paid tier covers this.

Third, a process to scrub your list against the National DNC Registry before every campaign, or a platform that does it automatically. The FCC's DNC rules apply to text messages under the same general framework as calls. [4]

Fourth, a written internal policy: who can approve campaigns, what the consent requirement is for each list, how opt-outs are tracked across all lists, and what happens when someone gets a complaint or legal notice. One page is enough. Having it matters.

Fifth, a suppression list. Every number that has ever replied STOP to any campaign goes on this list and stays there unless the person affirmatively re-subscribes.

That's it. You don't need a $500-a-month compliance platform to do this right. You need the right $29-a-month platform and the discipline to follow the process.

LeadCompliant's free compliance kit has templates for the opt-in disclosure language, the internal policy, and the suppression list process if you want a starting point.

Frequently asked questions

Can I text a list I purchased from a data broker if they say it's TCPA compliant?

Almost always no. 'TCPA compliant lists' from data brokers rarely include consent specific to your company. The FCC's 2023 one-to-one consent rule, effective January 2025, requires that consent name the seller explicitly. A list where consumers consented to 'marketing partners' is no longer sufficient. You'd need to verify each contact's consent record named your business specifically, which brokers almost never provide.

Is there a TCPA exemption for B2B text messages?

Sort of. The TCPA's residential subscriber protections don't apply the same way to business lines, and courts have sometimes found B2B texting outside the statute's scope. But this is fact-dependent and unsettled. If you're texting personal cell phones of business contacts (common in B2B), TCPA applies fully. Only texting actual business landlines or company-owned devices in a purely B2B context gets you near exemption territory. Get legal advice before relying on this.

The FCC's one-to-one consent rule, adopted December 2023, requires prior express written consent for marketing calls and texts on a one-to-one basis: one consumer, one seller, one consent. It ended the practice of a single form authorizing texts from dozens of companies. The rule took effect January 27, 2025. If your leads came from a comparison site or lead gen form before that date, audit whether those consents are still valid.

Not written consent in the TCPA marketing sense. Appointment reminders are transactional or informational texts, which require only prior express consent, not the more demanding 'prior express written consent.' That consent can be implied from the customer relationship or an earlier oral agreement. But if your reminder includes promotional content, such as 'and here's a discount on your next visit,' the whole message may become marketing and require written consent.

The TCPA statute of limitations is four years from the date of the violation under 28 U.S.C. § 1658. Practically, keep consent records at least four years from the last message sent to a contact, longer if you're in a state with a longer limitations period. California's CIPA has a one-year limit, but other California statutes can extend exposure. Many compliance attorneys recommend keeping records five to seven years.

What is a short code and is it safer than a long code for TCPA purposes?

A short code is a 5- or 6-digit number for high-volume SMS. It goes through carrier application and approval before use, so the carrier has vetted your use case. That does not make you immune to TCPA claims; consent requirements are identical. Short codes are more reliable for delivery at volume, and their approval process creates some documentation of your campaign purpose, which can help defensively, but they cost $500 to $1,000 per month or more.

Does a text message have to include an opt-out option every time?

Carriers require opt-out instructions (typically 'Reply STOP to unsubscribe') in the initial message and recommend including them periodically, often once a month for recurring campaigns. FCC regulations and carrier guidelines both back this. Some platforms automatically append opt-out language to every message; others let you set the frequency. Leaving it out entirely is both a regulatory violation and a carrier terms violation that can get your number filtered.

Can I use an AI or chatbot to send texts without triggering TCPA?

The ATDS definition is still litigated after Facebook v. Duguid (2021), which narrowed it to systems using random or sequential number generation. Many outbound SMS platforms still qualify as ATDS under certain interpretations, and the FCC has signaled interest in updating rules for AI-generated calls and texts. The consent requirement applies regardless of the technology sending the message. Don't assume AI tools sidestep TCPA.

What happened in Facebook v. Duguid and why does it matter for SMS?

In Facebook, Inc. v. Duguid (2021), the U.S. Supreme Court held that an ATDS must use a random or sequential number generator to store or produce numbers. This narrowed the ATDS definition sharply. Platforms that send only to pre-loaded contact lists (not randomly generated numbers) may not qualify as ATDS under this reading. Some plaintiffs still argue ATDS status based on system architecture, and state law claims don't depend on it. Consent best practices stay essential.

How much does a TCPA SMS class action typically settle for?

Settlements vary enormously by class size. Small TCPA SMS cases settle in the tens of thousands of dollars. Major class actions settle in the millions: notable examples include a $76 million settlement in Krakauer v. Dish Network (though that was calls), and SMS-specific settlements in the $10 million to $30 million range for large-list cases. The per-person settlement is usually $20 to $150, but multiplied across a class of hundreds of thousands, the totals get severe.

Is double opt-in required for SMS marketing under TCPA?

TCPA does not legally require double opt-in. A single clear opt-in with proper disclosure satisfies the statute. But double opt-in (where the consumer confirms by replying YES after signup) creates a much stronger consent record and is strongly recommended. It confirms the number is accurate, the subscriber controls it, and they knowingly agreed. Carriers also tend to look more favorably on double-opt-in campaigns. See our guide on sms double opt-in for implementation details.

What is the National DNC Registry and does it apply to text messages?

The National Do Not Call Registry, maintained by the FTC, lists consumer phone numbers that have opted out of unsolicited telemarketing calls. The FCC has interpreted TCPA to apply DNC protections to text messages as well as voice calls. Texting a number on the DNC list without a pre-existing business relationship or prior express consent is a separate violation layered on top of the consent requirement. Some SMS platforms scrub against the DNC list automatically; others make you do it yourself.

Can small businesses afford proper TCPA-compliant SMS platforms?

Yes. Entry-level paid plans on EZTexting, SimpleTexting, and SlickText run roughly $25 to $29 per month with compliance features included. That's not a budget issue; it's a priority issue. The risk math is straightforward: a single TCPA violation costs $500 minimum, and a class action against even a small list can generate six-figure liability. The platforms that handle 10DLC, consent records, and opt-outs are a trivially small investment against that exposure.

Do I need a lawyer to set up TCPA-compliant SMS marketing?

Not necessarily for basic setup, if you follow the statute and FCC rules carefully. You need clear opt-in forms, proper disclosure language, a compliant platform with 10DLC registration, DNC scrubbing, and opt-out handling. Those are operational steps, not legal interpretation. But if you're buying leads from third parties, texting in high-risk states like Florida, or building at significant scale, a TCPA attorney review of your consent flow is worth the cost. This article is not legal advice.

Sources

  1. U.S. House of Representatives, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits marketing texts without prior express written consent; violations carry $500 per message, $1,500 if willful
  2. Federal Trade Commission, business guidance: Valid consent records should capture disclosure language, timestamp, phone number, source, and IP address for digital opt-ins
  3. FTC, National Do Not Call Registry: The National DNC Registry applies to telemarketing contacts including text messages; businesses must scrub lists before outreach
  4. The Campaign Registry (TCR): 10DLC brand and campaign registration required by carriers for bulk application-to-person SMS; includes fees and campaign vetting
  5. Twilio, legal and privacy documentation: Twilio provides API-level SMS infrastructure; TCPA compliance implementation is the responsibility of the account holder
  6. WebRecon LLC, TCPA Complaint Data: TCPA federal lawsuit filings tracked annually showing thousands of cases per year with growing SMS component
  7. Van Patten v. Vertical Fitness Group, 847 F.3d 1037 (9th Cir. 2017): 9th Circuit held a single unsolicited marketing text established Article III standing; no actual harm required to bring TCPA suit
  8. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida's 2021 amended telemarketing law restricts automated and prerecorded calls and texts to Florida consumers with private right of action
  9. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems using random or sequential number generation, limiting TCPA scope for pre-loaded list texting

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit