Last updated 2026-07-09

TL;DR
Federal law (47 U.S.C. § 227) requires prior express written consent before you send marketing texts. Each violation costs $500, tripling to $1,500 if willful. CAN-SPAM does not cover SMS. State laws in Florida, Oklahoma, and Washington add more. You need consent records, opt-out honoring within 10 business days, and clear disclosures before the first promotional message goes out.
What laws actually govern SMS marketing in the United States?
Three legal frameworks touch outbound text marketing, and they do not overlap cleanly.
The Telephone Consumer Protection Act (TCPA), codified at 47 U.S.C. § 227, is the primary federal statute. [1] It restricts calls and texts made with an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to cell phones. The FCC interprets the TCPA and writes the implementing regulations at 47 C.F.R. Part 64. Marketing texts sent en masse almost always trigger TCPA coverage.
CAN-SPAM (15 U.S.C. § 7701 et seq.) governs commercial email. Plenty of teams assume it extends to SMS because the FCC once issued a rule about "commercial mobile service" spam, but that rule was narrow and mostly addressed email-to-SMS gateways. [2] For a standard marketing text sent from a 10-digit long code, short code, or toll-free number, CAN-SPAM is not your governing statute. Do not build your SMS compliance program around it.
State laws are the third layer and the fastest-growing one. Florida's Telephone Solicitation Act (FTSA), amended in 2021, is the most aggressive state SMS law in the country. It requires prior express written consent for any automated or prerecorded text to a Florida area code, with a private right of action carrying $500 per violation. Oklahoma and Washington have passed similar statutes with their own wrinkles. [3] If you text consumers nationally, you need to know which states have private rights of action. Plaintiffs' lawyers shop for them.
The CTIA (Cellular Telecommunications Industry Association) Messaging Principles and Best Practices sit outside formal law but matter every day. Carriers enforce CTIA guidelines by blocking or filtering traffic that does not comply. Getting your messages delivered means following carrier rules even where no statute compels it. [4]
What does the TCPA actually require for SMS marketing?
The core TCPA requirement for marketing texts is prior express written consent. The FCC's 2012 TCPA Order set this standard, and it has held ever since. [5] Prior express written consent means a written agreement, signed by the consumer (an electronic signature counts under the E-SIGN Act), that clearly authorizes a specific seller to send autodialed or prerecorded marketing messages to that specific number.
Several things kill a consent record:
- A pre-checked checkbox on a web form is not valid consent.
- Consent buried in general terms and conditions, with no clear disclosure that marketing texts will follow, is legally risky, and courts have split on it.
- Consent given to one company does not transfer to a different company, including affiliates, unless the consumer's agreement named those companies.
The FCC tightened that last point hard in a December 2023 Order that took effect in January 2025. [5] The Order ended the lead-generator loophole, requiring consent on a one-to-one basis: one consent for one seller, not one consent for a list of affiliated brands. If you run lead gen and send consented leads to multiple clients, your consent architecture almost certainly needs a rebuild.
Your written consent record must include four things: the consumer's phone number, the date and time of consent, the URL or medium where consent was given, and the exact disclosure language the consumer saw. Store those records for at least four years, matching the standard TCPA statute of limitations. See our detailed guide to tcpa sms compliance for the record-by-record breakdown.
Informational (non-marketing) texts drop to the lower bar of prior express consent, which can be oral or written. A customer handing you their number while placing an order is generally enough for transactional confirmations. The moment your message carries a promotional offer, you need the written standard.
What is the TCPA penalty per text message and how are damages calculated?
The TCPA sets a statutory damages floor of $500 per violation, and each text to a number counts as its own violation. [1] Courts have confirmed this repeatedly. A campaign that sends one promotional text to 50,000 non-consenting numbers creates 50,000 violations, or $25 million in exposure before any trebling.
If a court finds the violation willful or knowing, 47 U.S.C. § 227(b)(3) allows trebling to $1,500 per message. Willful does not mean malicious. Texting after receiving a cease-and-desist letter, continuing a campaign after being told about the legal problem, or ignoring industry guidance can all support a willfulness finding.
TCPA claims are plaintiff-friendly for a structural reason: statutory damages remove any need to prove actual harm. A consumer who got three unwanted texts can collect up to $4,500 without showing a single dollar of injury beyond the texts themselves. That makes these suits easy to file and easy to certify as class actions.
Most of the money at stake comes from private litigation, not federal fines. The statute gives consumers a direct right to sue in federal or state court, which is why TCPA suits are so common. The FCC can bring its own enforcement actions under 47 U.S.C. § 503, but the exposure that lands on your business almost always comes from plaintiffs' lawyers.
Settlement size varies wildly with campaign volume. TCPA class action settlements over the past decade have run from roughly $2 million to more than $75 million. Smaller individual suits often settle for a few thousand dollars each, but they arrive in volume when your opt-out process fails.
What consent and opt-in process do you need before texting someone?
Getting consent right is where most small teams cut corners, and where most TCPA liability starts. Here is what a defensible sms opt in process actually looks like.
Start with the disclosure the consumer sees before agreeing. It cannot be buried. It has to say: (1) they are consenting to receive recurring automated marketing text messages, (2) from your company by name, (3) at the phone number they provide, (4) that consent is not a condition of purchase, and (5) that message and data rates may apply.
The phrase "not a condition of purchase" is not optional. The FCC requires it for prior express written consent on marketing calls and texts. Conditioning a sale or service on accepting marketing texts voids the consent.
Second, your sms opt-in form should capture a timestamp, the IP address (for web forms), the specific disclosure language shown, and the phone number entered. That metadata is your legal record if anyone ever challenges you.
Third, look at sms double opt in. After a consumer enters their number, you send a confirmation text asking them to reply YES (or a keyword) to confirm. The TCPA does not require it. It earns its keep two ways: it filters out typos and fake numbers, and it creates a second, hard-to-dispute consent record in the consumer's own reply. For any high-volume program, that small bit of friction is worth it.
Webinar sign-ups, sweepstakes entries, lead-gen forms, and loyalty enrollments are all common consent touchpoints. The rule that governs all of them: consent must be specific to marketing texts. A consumer who entered a sweepstakes and gave an email does not consent to texts just because your form also had a phone field.
How do you handle SMS opt-outs and what does the law require?
The TCPA requires any marketing text program to honor opt-out requests promptly. The FCC's rules say an opt-out must be honored within a reasonable time, and the agency has treated 10 business days as the outer limit for stopping messages. Platforms built for SMS marketing stop within seconds of a STOP reply, which is the industry standard.
The CTIA requires that short code and 10DLC programs recognize at minimum STOP, CANCEL, END, QUIT, and UNSUBSCRIBE as opt-out keywords. [4] You cannot force a consumer to opt out through a web form only. Replying STOP to the number that texted them has to work.
After someone opts out, you may send one final confirmation text acknowledging it. That single message is permitted even though the consumer is now on your suppression list. Send nothing after it.
Honor opt-outs from other channels too. If a consumer calls your customer service line and says "stop texting me," that is a valid revocation. Document it. The FCC's position is that consumers can revoke consent through any reasonable means.
One thing trips teams up constantly. A consumer who opts out of marketing texts has not opted out of transactional messages. You can still send a shipping confirmation or a password reset. Add a promotional element to that transactional message, though, and the whole thing becomes a marketing text, and the opt-out applies.
Keep a suppression list. Every opted-out number goes on it. Before any send, scrub your list against that file. Failing to maintain and use a suppression list is one of the most common reasons a TCPA suit turns into a class action instead of a single claim.
What time-of-day and frequency rules apply to marketing texts?
The TCPA, through FCC regulations at 47 C.F.R. § 64.1200, restricts telemarketing calls to between 8 a.m. and 9 p.m. local time at the called party's location. [6] The FCC applies the same window to text messages, treating marketing texts as telemarketing subject to the same hours.
Here is the practical catch. If you text a national list, you need the consumer's time zone, or you use the area code as a proxy. A text sent at 8:30 a.m. Eastern lands at 5:30 a.m. Pacific. Sending it to California numbers at that hour puts you outside the window.
The TCPA sets no maximum messages per week or month. The limits are on hours and on consent, not on a hard cap. Carrier filtering, though, kicks in hard for high-frequency senders, and excessive texting can support harassment claims under state unfair business practices laws even when each individual text sat inside TCPA rules.
State laws sometimes pile on. Florida's FTSA applies to automated texts sent to a residential telephone subscriber, with no time-window carve-out beyond the federal rule. Washington's Consumer Protection Act has been used against aggressive text marketers even without a TCPA hook. Check the laws of any state where you push real consumer volume.
For most small outbound teams, the safe rule is simple. Text between 10 a.m. and 7 p.m. local time in the consumer's zone. Keep promotional frequency under three or four times a month unless engagement data earns you more. Treat any unusually high unsubscribe rate as a signal that you are pushing too hard.
Does CAN-SPAM apply to text messages?
For standard SMS marketing, almost never.
CAN-SPAM covers electronic mail messages, which the statute defines as messages sent to an electronic mail address. [2] A standard 10-digit long code or short code message does not go to an email address. It goes to a phone number. CAN-SPAM does not govern it.
The one scenario where CAN-SPAM might touch SMS is the email-to-SMS gateway, where a message goes to something like 5551234567@vtext.com. The FCC issued rules in 2004 under CAN-SPAM's wireless provisions covering that format, but the delivery method is basically obsolete for marketing. Nobody runs commercial SMS campaigns through email-to-text gateways at any volume today.
So build your SMS compliance program around the TCPA and applicable state laws, full stop. Do not treat CAN-SPAM's unsubscribe window (10 business days) or its sender-identification rules as your SMS standard. The TCPA's consent and opt-out requirements are tougher than CAN-SPAM in almost every respect anyway.
If you run email marketing alongside SMS, CAN-SPAM governs the email and the TCPA governs the texts. They run in parallel, not as one merged framework. A consumer unsubscribing from your email list does not drop off your SMS list, and the reverse holds too, though the smart move is to offer both options at every touchpoint.
What state laws add requirements beyond the federal TCPA?
Florida is the state compliance teams worry about most. The Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059, was amended in July 2021 to reach text messages. [3] It requires prior express written consent for automated texts to Florida numbers, mirrors the TCPA's $500 per-violation floor, and carries its own private right of action. Florida federal courts saw a surge in FTSA class action filings starting in late 2021. The consent standard tracks the TCPA, but Florida courts have sometimes been friendlier to plaintiffs on what counts as an ATDS.
Oklahoma passed HB 1259 in 2022, creating a private right of action for automated marketing texts sent without prior express written consent, with damages up to $500 per message. [11] Washington's Consumer Protection Act (RCW 19.86) has been used to support SMS claims as an unfair or deceptive act. California's CCPA and CPRA, primarily privacy laws, still touch SMS marketing because a phone number is personal data and consumers can opt out of the sale of that data, which affects how lead-gen lists get used. [7]
Texas has its own Business and Commerce Code provisions on telephone solicitations, though enforcement runs mostly through the state attorney general rather than private suits.
The pattern is consistent across states: prior consent, opt-out honoring, and sender identification. No state law is more permissive than the federal TCPA. Some are stricter. If you operate nationally, build to the most restrictive applicable standard and you are compliant everywhere.
For teams doing real estate text message marketing, state rules matter even more. Real estate deals are hyper-local, and the applicable law is usually the state where the property sits, not where your company is headquartered.
What records do you need to keep for TCPA SMS compliance?
Record-keeping is where compliance programs fall apart under legal scrutiny. A consent you cannot prove is a consent that does not exist for litigation purposes.
For each subscriber, retain:
1. The phone number and the date and time it was added to your list. 2. The exact disclosure language the consumer saw at opt-in, including any links or checkboxes. 3. The source of consent (specific URL, form name, campaign ID). 4. For web forms: IP address, user agent, and any session data that corroborates the submission. 5. Confirmation of any double opt-in reply, if you use one. 6. Any opt-out request, with the date it was received and honored. 7. Any messages sent, with timestamps.
Four years is the general retention standard because 28 U.S.C. § 1658 sets a four-year statute of limitations for federal civil claims. [10] Some practitioners keep records longer, since TCPA tolling arguments have stretched that window in some cases.
Store records in a format you can export and audit. If you get sued, you have to produce consent records in discovery. A spreadsheet buried in a marketing platform that needs a third-party vendor to export is a real problem even when the data technically exists.
The marketing text message service you use should have consent record export built in. If it does not, that is a red flag. Judge text message marketing software on whether it logs consent data you can actually pull back out, ahead of feature count or price.
LeadCompliant's free compliance kit includes a consent record template you can adapt to your existing stack, which is one shortcut if you are building this from scratch.
How does the 10DLC registration requirement affect SMS compliance?
10DLC (10-digit long code) registration is a carrier requirement, not a statute, but it is not optional in practice. Since 2021, carriers have required businesses sending marketing texts from 10-digit numbers to register their brand and campaigns through The Campaign Registry (TCR). [12] Unregistered traffic gets filtered or blocked.
Registration asks for your company's legal name and EIN, the use case for your messages (marketing, account notifications, and the like), sample message content, and a description of your opt-in and opt-out process. Carriers review it against CTIA guidelines. Approval is not automatic, and some use cases get rejected.
Short codes (5 to 6 digit numbers) go through separate vetting with each carrier. They cost more, roughly $500 to $1,000 per month for a dedicated short code versus negligible per-message fees on 10DLC, but they carry higher throughput and more carrier trust.
Toll-free numbers used for SMS also require verification through the toll-free verification registry carriers maintain. Unverified toll-free SMS traffic has been filtered more and more since 2023.
Here is the point people miss. 10DLC registration does not substitute for TCPA consent. You can be perfectly registered with TCR and still be breaking the TCPA if you text without consent. Registration handles sender identification and deliverability. The TCPA handles your legal right to contact someone. The two requirements exist independently.
If your platform claims to handle 10DLC registration for you, verify that the registration is actually complete and approved. Provisional registration does not protect you from carrier filtering, and some platforms have been slow to finish registrations for clients.
What does a legally compliant SMS marketing program look like in practice?
Put the pieces together and a compliant SMS program has about eight moving parts.
Consent capture: Every subscriber is opted in through a compliant process with a clear disclosure, at a specific touchpoint you can document. For most teams that means a web form, a keyword opt-in (text JOIN to 12345), or a point-of-sale enrollment. Each method needs its own documented disclosure.
List hygiene: Before any send, the list gets scrubbed against your internal suppression list (prior opt-outs), the National Do Not Call Registry if your texts could count as telephone solicitations under state law, and any state-specific lists that apply. [8]
Message compliance: Every marketing text carries your business name (so the consumer knows who is texting), an opt-out instruction (Reply STOP to unsubscribe), and no misrepresentation of the offer or sender. CTIA also recommends message frequency and rate disclosures in your welcome message.
Timing controls: Sends are scheduled only between 8 a.m. and 9 p.m. local time for the recipient, with 10 a.m. to 7 p.m. as the safer practical window.
Opt-out automation: STOP and its synonyms trigger immediate suppression and a single confirmation reply. No human in the loop.
Record retention: Consent records are stored and exportable for at least four years.
Ongoing monitoring: Opt-out rates, complaint rates, and carrier filtering events get reviewed on a schedule. Unusual spikes get investigated before the next send.
For teams running lead gen or working with purchased lists, add a consent verification step: confirm each number on an acquired list was consented specifically to your company, not to a generic category of marketers, per the FCC's 2025 one-to-one consent rule. Our lead generation compliance news hub tracks the rule changes as they land.
You can check your own TCPA exposure baseline and download a ready-made compliance checklist at LeadCompliant. The tools are free, and the checklist covers each step above with the specific disclosures regulators look for.
What are the biggest SMS compliance mistakes small teams make?
The most expensive mistake is treating purchased lists as consented lists. A broker selling opt-in leads rarely means those consumers consented to your specific company for your specific type of messages. After 2025, with the FCC's one-to-one consent rule in force, this is no gray area. Texting a purchased list without verifying that each record meets the consent standard is a TCPA violation waiting to happen.
Second is relying on implied consent. A consumer who gave you their number to grab a coupon, enter a contest, or book an appointment has not consented to ongoing marketing texts. The disclosure has to be explicit and contemporaneous with the number collection.
Third is not honoring opt-outs across platforms. If your CRM, your SMS platform, and your marketing automation tool each keep separate suppression lists, they have to sync. A consumer who opted out through your SMS platform but whose number still lives in a CRM export that gets uploaded to a new campaign is a live liability.
Fourth is sloppy record-keeping. Teams that lean on their platform's native records without ever exporting or backing up consent data have lost that data when they switched vendors, had accounts terminated, or hit platform outages. Own your consent records.
Fifth is ignoring state law updates. Florida's FTSA amendment in 2021 caught plenty of companies flat-footed. Washington and Oklahoma followed. This area of law moves, and the teams that get hit are the ones running the same program they set up three years ago without checking what changed.
Sector programs carry the same risks with different touchpoints. Take sample text message marketing for restaurants. A loyalty sign-up card on the table is a valid consent mechanism, but only if the disclosure language on that card meets the TCPA standard. Handwritten numbers a server jots down with no visible disclosure are not valid consent.
Frequently asked questions
Does the TCPA apply to text messages or just phone calls?
The TCPA covers both. The statute at 47 U.S.C. § 227 restricts using an automated telephone dialing system to make calls or send text messages to cell phones. Courts and the FCC have consistently treated SMS as covered by the same rules as voice calls for marketing. Prior express written consent is required for marketing texts sent via autodialer, same as for robocalls.
Can I text someone who gave me their number on a web form if I did not specifically mention texting?
No. Collecting a phone number on a web form does not automatically create TCPA consent for marketing texts. The consumer must have seen a clear disclosure that by submitting their number they agree to receive autodialed marketing texts from your company. A generic privacy policy or terms-of-service link is not enough. If the form lacked that explicit disclosure, you do not have valid consent.
What is the statute of limitations for TCPA claims related to text messages?
Federal courts generally apply the four-year catch-all statute of limitations under 28 U.S.C. § 1658 to TCPA claims. Some courts have used state-law limitations periods, which run shorter or longer. A few have allowed tolling arguments to reach beyond four years. Practically, retain consent records and message logs for at least four years from the date of each communication.
Do I need to register with The Campaign Registry (TCR) to send marketing texts?
Yes, if you send marketing texts from a 10-digit long code number. Carriers began requiring 10DLC registration through The Campaign Registry in 2021. Unregistered traffic is filtered or blocked. Registration needs your EIN, brand information, campaign use case, and sample messages. TCR registration is a carrier requirement, not a statute, but skipping it makes your messages practically undeliverable.
How quickly do I have to honor an opt-out request?
The FCC says opt-outs must be honored within a reasonable time. Industry standard and most platform defaults treat an opt-out as effective immediately, stopping future sends within seconds of a STOP reply. The FCC has indicated 10 business days is the outer limit. In practice, any compliant SMS platform processes opt-outs in real time. You may still send one final confirmation message after an opt-out.
Is prior express written consent the same as prior express consent?
No. Prior express written consent is the higher standard, required for marketing and promotional texts sent via autodialer. It needs a signed written agreement with specific disclosures. Prior express consent is the lower standard, enough for informational or transactional texts, and it can be oral or implied. The moment a message carries any promotional element, you need the written standard, not merely express consent.
What changed with the FCC's 2024/2025 one-to-one consent rule?
The FCC's December 2023 Order, effective January 2025, closed the lead-generator loophole by requiring consent on a one-to-one basis: one consumer, one named seller. Before, a single consent form could authorize texts from multiple affiliated companies. Now each seller must be individually and specifically identified in the consent agreement. This changes how lead-gen companies distribute consented leads to multiple clients.
Does Florida's FTSA apply to my business if I am located outside Florida?
Yes, if you text Florida area code numbers. The FTSA applies based on where the recipient is located, not where the sender sits. Any business texting Florida consumers with automated marketing messages must meet Florida's prior express written consent requirement and faces the FTSA's $500-per-violation private right of action. Your company's location does not shield you from Florida law.
Can I text a consumer who is on the National Do Not Call Registry?
The National Do Not Call Registry applies to telephone solicitations, which the FCC has interpreted to include text messages in some contexts. If a consumer is on the DNC Registry and has not given you prior express written consent, texting them for marketing is risky under both the TCPA and FTC telemarketing rules. Prior express written consent is the only reliable safe harbor, even for DNC registrants.
Are B2B text messages covered by the TCPA?
Yes, with some nuance. The TCPA applies based on the type of number (cell phone) and the use of an autodialer, not on whether the recipient is a consumer or a business person. Texts to an employee's work cell phone are still covered. The FCC has not created a broad B2B exemption for SMS. Some courts give slightly more latitude in B2B contexts, but building your program on that trend is risky. See our guide on b2b lead generation platforms gdpr compliance.
What disclosures are required in every marketing text message?
Every marketing text must identify the sender by name so the recipient knows who is texting. It must include an opt-out instruction, typically 'Reply STOP to unsubscribe.' CTIA guidelines also recommend disclosing message frequency in your welcome message. You do not need every disclosure in every subsequent message, but each marketing text needs at minimum the sender name and the opt-out instruction.
How does TCPA compliance differ for short codes versus 10-digit long codes?
The TCPA consent requirements are identical. Both short codes and 10DLC require prior express written consent for marketing texts. The differences are operational: short codes require carrier vetting and approval (6 to 12 weeks), cost more, and get higher throughput. 10DLC requires TCR registration, is cheaper, and has lower per-second throughput but easier setup. Consent, opt-out, and record-keeping obligations are the same for both.
What is the best way to prove consent if I am sued under the TCPA?
The burden shifts to the defendant to prove consent once a plaintiff establishes an autodialed text was sent. Your best evidence is a timestamped record showing the consumer's number, the exact disclosure language they saw, the date and IP address of submission, and any double opt-in confirmation reply. Screenshots and form archives help, but a database record that exports cleanly is stronger in discovery. Courts have dismissed cases where defendants produced clean, contemporaneous consent records.
Can a consumer revoke TCPA consent after giving it?
Yes. Consumers can revoke consent at any time through any reasonable means, including replying STOP, calling customer service, or sending a written request. The FCC takes a broad view of revocation methods. Once you receive a revocation through any channel, you must stop marketing texts promptly. You cannot contractually limit revocation to a single method, such as requiring consumers to log in to a portal. Any such restriction is likely unenforceable under FCC guidance.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA sets $500 statutory damages per violation, trebled to $1,500 for willful or knowing violations; restricts autodialed texts to cell phones
- FTC, CAN-SPAM Act Compliance Guide for Business: CAN-SPAM governs commercial email messages; does not govern standard SMS sent to phone numbers
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: FTSA as amended in 2021 requires prior express written consent for automated texts to Florida numbers with $500 per-violation private right of action
- FCC, 47 C.F.R. § 64.1200 (TCPA implementing regulations): FCC regulations restrict telemarketing calls and texts to between 8 a.m. and 9 p.m. local time at the called party's location
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA and CPRA treat phone numbers as personal data; consumers have rights to opt out of sale of their data, affecting how SMS lead lists may be used
- FTC, National Do Not Call Registry: FTC operates the National Do Not Call Registry; FCC has interpreted telephone solicitation rules to include text messages in applicable contexts
- U.S. Government, 28 U.S.C. § 1658 (statute of limitations for federal civil claims): Four-year catch-all statute of limitations for federal civil claims, applied by most courts to TCPA lawsuits
- Oklahoma Legislature, HB 1259 (2022), codified at Okla. Stat. tit. 15: Oklahoma HB 1259 created a private right of action for automated marketing texts without prior express written consent, with damages up to $500 per message
- The Campaign Registry, 10DLC registration program: TCR requires brands to register their company and campaign use case before sending marketing texts from 10-digit long code numbers; unregistered traffic is filtered by carriers