SMS marketing compliance requirements: US, EU, GDPR, and TCPA

TCPA requires written consent before marketing texts; GDPR adds strict data rules. Full US/EU SMS compliance requirements, penalties, and a free checklist inside.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Person at desk reviewing SMS compliance checklist with smartphone nearby
Person at desk reviewing SMS compliance checklist with smartphone nearby

TL;DR

In the US, the TCPA (47 USC 227) bans marketing texts to cell phones without prior express written consent and prohibits auto-dialed messages to numbers on the National DNC Registry. In the EU, GDPR requires a lawful basis for processing phone data, and the ePrivacy Directive requires opt-in consent before any commercial SMS. Breaking either law costs $500 to $1,500 per text under TCPA, or up to 4% of global turnover under GDPR.

What laws govern SMS marketing in the United States?

Two federal laws run US SMS marketing. The Telephone Consumer Protection Act (TCPA), codified at 47 U.S.C. § 227, is the main one. The CAN-SPAM Act covers email, not texts. The FTC's Telemarketing Sales Rule (TSR) can apply when a text is part of a telemarketing campaign that also involves calls. But TCPA is the statute behind nearly every SMS lawsuit you read about.

Congress passed the TCPA in 1991, long before anyone marketed by smartphone. The FCC has since read it to cover text messages sent by autodialer. A 2003 FCC order confirmed that SMS to wireless numbers is covered. A 2015 FCC Declaratory Ruling stretched the autodialer definition wide, then the Supreme Court in Facebook v. Duguid (2021) pulled it back, holding that an autodialer must use a random or sequential number generator. Courts are still sorting out what that means for list-based texting tools. Don't assume your software is safe just because it sends from a fixed contact list.

States layer their own rules on top. Florida's Telephone Solicitation Act requires its own written consent and bans texts before 8 AM or after 8 PM local time. California's Invasion of Privacy Act can also create exposure. Read our tcpa sms compliance guide for the federal framework, and check tcpa news today for recent case developments.

What does TCPA require before you send a marketing text?

You need prior express written consent. The FCC's 2012 rules, effective October 2013, tightened what that means. Before any autodialed or prerecorded marketing text goes out, you need the consumer's signature (physical or electronic) agreeing to receive that exact type of message, from your company, at that number. A checkbox buried in terms of service probably won't cut it. A pre-checked box definitely won't.

The written consent has to carry three things: the consumer's phone number, the name of the company they're agreeing to hear from, and a clear disclosure that they consent to autodialed marketing messages. The FCC put it plainly: "Prior express written consent means an agreement, in writing, bearing the signature of the person called."

The FCC's one-to-one consent rule, if it takes effect (it faces ongoing litigation as of mid-2025), stops consent for one seller from being shared across multiple companies on a single form. Watch lead generation compliance news for the current status.

Operational requirements beyond consent:

  • Honor opt-out requests promptly. Regulators expect opt-outs processed within 10 business days, though most platforms handle it instantly and you should too.
  • Every marketing text needs a way to opt out. The FCC hasn't mandated specific language, but STOP is the carrier standard.
  • Under the TSR, no marketing texts before 8 AM or after 9 PM in the recipient's local time zone. Several states run tighter windows.
  • The National Do Not Call Registry applies to text messages that are part of a telemarketing campaign. Scrub your numbers against it before texting.

The mechanics of a TCPA-compliant opt-in flow are in our sms opt in guide, and you can see a properly structured consent form at sms opt-in form.

How much can TCPA violations actually cost per text?

Statutory damages under TCPA are $500 per violation, meaning per text, with no damages cap in the statute for private plaintiffs. If a court finds the violation willful or knowing, damages triple to $1,500 per text. SMS campaigns routinely reach tens of thousands of people, so the math turns brutal fast.

A campaign of 50,000 texts sent without proper consent carries theoretical exposure of $25 million at $500 per message, or $75 million if a court finds willfulness. These aren't imaginary numbers. In 2019, Dish Network settled a TCPA and TSR case brought by the Department of Justice and four states for $280 million. Papa John's settled a text class action for $16.5 million. Real estate, insurance, and financial services firms get targeted over and over.

The class action structure is what makes TCPA so dangerous for small teams. One plaintiff, one attorney, and a class of 10,000 people who got the same unsolicited text turns into a bet-the-company lawsuit. You don't have to defraud anyone. Texting people who never gave proper written consent is enough.

There's no FCC pre-approval process. The liability is strict. Incomplete consent records or a failed opt-out mechanism leaves you exposed no matter what you intended.

Key SMS compliance thresholds at a glance Statutory penalties, consent standards, and timing rules across US and EU frameworks 500 TCPA penalty per text (standard) 1,500 TCPA penalty per text (willful) 20 GDPR max fine (millions EUR) 31 DNC scrub window (days) Source: 47 U.S.C. § 227 (TCPA); GDPR Regulation 2016/679; FTC Telemarketing Sales Rule, 16 CFR Part 310

What EU laws apply to SMS marketing, and how is GDPR involved?

Two EU instruments apply to SMS marketing together, and they work differently.

The General Data Protection Regulation (GDPR), Regulation 2016/679, governs how you collect, store, and process personal data, and a mobile number counts as personal data. GDPR requires a lawful basis for processing. For marketing, that basis is almost always consent (Article 6(1)(a)) or legitimate interests (Article 6(1)(f)). Legitimate interests is a shaky footing for direct marketing and data protection authorities (DPAs) routinely reject it when challenged.

The ePrivacy Directive (2002/58/EC, sometimes called the Cookie Directive) is the law that actually governs sending commercial electronic communications, SMS included. Article 13 says you need the subscriber's prior consent before sending unsolicited commercial communications by electronic means, text messages among them. The directive sets a common opt-in requirement across member states, though each country implements it a little differently.

So in practice you need both. A GDPR-compliant consent mechanism (explicit, documented, granular, revocable) and compliance with the ePrivacy Directive's prior opt-in rule. Getting EU consent for marketing texts means the person actively opts in (no pre-ticked boxes), understands what they signed up for, and can withdraw that consent easily at any time without penalty.

Some countries allow legitimate interests as a basis for B2B SMS to business contacts about relevant services. Even then, GDPR still governs the data processing, and the ePrivacy Directive may still demand prior consent depending on the member state. Our b2b lead generation platforms gdpr compliance article breaks this down for outbound sales teams.

They share a philosophy (affirmative opt-in) but split on specifics. Here's a side-by-side comparison:

RequirementTCPA (US)GDPR + ePrivacy (EU)
Consent standardPrior express written consentFreely given, specific, informed, unambiguous (Article 4(11) GDPR)
Pre-checked boxesNot permitted by FCC guidanceExplicitly prohibited
Consent documentationMust be retained (no statutory period specified; FCC implies indefinitely)Must be retained and producible on request
Right to withdrawYes, honor opt-outs promptlyYes, as easy to withdraw as to give
Consent bundlingOne-to-one FCC rule (if in effect) prohibits multi-seller consent on one formCannot bundle consent with other terms (Article 7(4) GDPR)
Texting hours8 AM to 9 PM recipient local time (TSR)No EU-wide rule; national laws vary
Who is coveredAny person with a US wireless numberAny natural person in the EU/EEA
Penalties$500-$1,500 per text, private right of actionUp to €20M or 4% of global annual turnover, whichever is higher
Class actionsYes, common and aggressiveNo private right of action under GDPR; enforcement by DPAs

The enforcement gap matters. TCPA creates a private right of action, so any individual or their lawyer can sue you directly. GDPR enforcement runs through national DPAs, which puts a layer of bureaucracy between a complaint and a fine. That doesn't make GDPR soft. The Irish DPA fined Meta €1.2 billion in 2023 over data transfers. But for a small US team texting US numbers, TCPA litigation is the closer threat.

What opt-in methods are legally valid for SMS marketing?

Under TCPA, valid written consent can come from a web form, a paper form, a recorded verbal agreement (verbal consent alone is not enough for autodialed marketing texts), or a keyword opt-in by text, where someone texts a keyword to your short code, sees a clear disclosure, then confirms. The keyword-to-short-code flow is popular because it builds a record automatically. The person started the conversation.

The confirmation text you send after someone opts in (double opt-in) isn't required by TCPA. It's still the single best risk-reduction move you can make. It proves the person had access to the number they gave you, confirms consent, and hands you a second record. Our sms double opt-in guide walks through the flow.

Under GDPR, double opt-in is closer to a practical requirement, because you have to show consent was informed and unambiguous. A confirmation message that restates what the person signed up for and gives a clear way to back out before any marketing starts is the standard most EU DPAs want to see.

What does not count as valid SMS consent under either law:

  • Buying a list of phone numbers and texting them
  • Assuming a number handed over on a business card means the person wants marketing texts
  • A terms-of-service checkbox granting blanket consent to "communications"
  • Consent obtained for a different company than the one sending the texts

LeadCompliant's free SMS opt-in checker helps you audit whether your current consent flow meets the written-consent standard before you send another campaign.

What are the content and timing rules for marketing texts?

For US campaigns, the FTC's Telemarketing Sales Rule sets the 8 AM to 9 PM local-time window. Some state laws tighten it. Florida uses the same hours but enforces them hard through its own statute. Several states have passed or are weighing rules that ban texts on Sundays.

Content requirements under TCPA are lighter than people think. There's no required word-for-word disclosure inside every marketing text. What the law does require is a clear, easy way to opt out of every marketing message. STOP as the opt-out keyword is a carrier industry standard set through the CTIA, the wireless industry association. Carriers can block traffic that ignores STOP requests.

The CTIA's Messaging Principles and Best Practices also want the initial opt-in confirmation message to carry the program name or brand, the message frequency ("Msg frequency varies" or a specific number), a reminder that message and data rates may apply, and the opt-out and help keywords. None of that is statutory. Carriers use it as their compliance bar anyway, and skipping it risks getting your short code or 10DLC number suspended.

For GDPR, every marketing SMS has to identify the sender clearly. Texting from an unidentified number or a spoofed identity breaks both GDPR (transparency principle, Article 5(1)(a)) and, in most member states, national ePrivacy rules.

Texting for a high-value industry like real estate follows the same consent and content rules, but the stakes climb with the transaction values. See real estate text message marketing for industry-specific examples.

How do 10DLC registration requirements fit into SMS compliance?

10-digit long code (10DLC) registration is a carrier-level requirement, not a statute, but ignore it and your texts get blocked. As of 2023, all US carriers require businesses sending application-to-person (A2P) SMS through 10-digit numbers to register their brand and campaign through The Campaign Registry (TCR).

Registration asks you to identify your business, describe the use case (marketing, 2FA, customer care), and confirm you have opt-in consent from recipients. Carriers use that data to filter spam. Unregistered traffic gets blocked or throttled.

10DLC registration does not make you legally compliant. It doesn't stand in for TCPA consent. It's a carrier technical requirement running parallel to the legal one. You need both.

Short codes (the 5- to 6-digit numbers high-volume senders use) go through a separate vetting process with the Short Code Registry and also require CTIA-compliant messaging programs. Toll-free numbers used for SMS have their own carrier verification process.

What this means for a small team: if you use a marketing text message service or text message marketing software platform, check whether it handles 10DLC registration for you and whether it documents that registration for your compliance records.

What records do you need to keep to defend a TCPA or GDPR claim?

Record-keeping is where most small teams fall apart. You can run a perfect opt-in flow and still lose a lawsuit because you can't prove the specific person suing you gave consent. In TCPA cases, the burden of proving consent sits on the defendant. That's you.

For TCPA, keep at minimum:

  • The consent record itself (timestamp, IP address if web-based, the exact language the person agreed to)
  • The phone number as it appeared in the consent record
  • The name of the program or company the person consented to
  • A record of every opt-out request and when you processed it
  • Your sent-message logs, with timestamp and recipient number for every text

For GDPR, Article 5(2) sets an accountability principle: you must be able to demonstrate compliance, more than claim it. That means records of your consent mechanism, records of what you showed the person at the moment of consent, and records of how long you plan to hold their data (you have to name a retention period and stick to it).

How long do you keep consent records? TCPA has a four-year statute of limitations for private claims under 28 U.S.C. § 1658, so four years after the last contact is the floor. GDPR requires you to delete personal data once it's no longer needed for the stated purpose, so your retention periods need to be defined in your privacy policy and actually enforced.

Store consent records in a system separate from, or at least independently queryable from, your sending platform. If your platform shuts down or loses data, you still need those records in hand.

Do the TCPA and GDPR apply to B2B SMS marketing?

This is a genuinely gray area, and nobody should sell you certainty on it.

Under TCPA, the statute covers texts to wireless telephone numbers regardless of whether the recipient is a consumer or a business. Text a salesperson's cell phone with a marketing message and that's a wireless number, so TCPA applies. The FCC never carved out a broad B2B exemption.

There's a practical wrinkle. TCPA applies to calls and texts made to a number using an autodialer. If you personally dial or type and send to individual prospects one at a time from your own phone, the autodialer trigger doesn't fire. But the moment you use a platform that manages lists, schedules, and sends at scale, you're almost certainly running something that functions like an autodialer under the FCC's reading, whatever Facebook v. Duguid narrowed.

Under GDPR, B2B data is still personal data when it can identify a natural person. A work email like john.smith@company.com is personal data. A mobile number belonging to an individual employee is personal data. Texting a business number doesn't strip the protection from the individual whose phone rings.

The EU's ePrivacy Directive lets some B2B commercial communications go out without prior consent in some member states, but it varies. Germany requires prior consent for B2B SMS in most cases. The UK, post-Brexit under the UK GDPR and PECR, allows B2B SMS with a soft opt-in where there's a prior business relationship. Don't assume EU B2B SMS is consent-free.

What are the most common SMS compliance mistakes that lead to lawsuits?

Look at the FCC enforcement actions and the publicly filed TCPA class actions from the past several years and the same mistakes keep showing up.

Buying or renting lead lists without consent verification is the biggest. A lead vendor claiming their contacts "opted in" is not the same as you holding documented proof of written consent for your specific marketing program. Courts have held that consent obtained by one company doesn't transfer to another unless the consumer specifically agreed to that transfer.

Failing to scrub against the National DNC Registry before texting is second. The FTC maintains the registry, and you have to check it before any telemarketing text campaign. You must access an updated copy of the registry within 31 days before each campaign.

Ignoring state-specific rules is third. A campaign that's clean under federal TCPA can still break Florida's law, Washington's law, or others with stricter timing, consent, or content requirements.

Sending after an opt-out is fourth. Platforms sometimes process opt-outs with a lag, and batched sends go out after someone texted STOP. Each of those is a per-message violation.

Using consent collected for one purpose to send a different type of message is fifth. If someone consented to shipping notifications, that's not consent for promotional texts.

Promotional texting is common for restaurants, and the risks there are just as real. See sample text message marketing for restaurants for examples of compliant promotional messages.

Our broader TCPA overview covers the legal theory behind these violations.

How should a small US team set up a compliant SMS marketing program from scratch?

Start with consent, not technology. Before you pick a platform or write a single message, figure out exactly who you have proper written consent from and document it.

Step 1: Audit your existing contacts. For every phone number, ask: do I have a dated, documented record of this person's express written consent to receive marketing texts from my company? "I think so" or "they filled out a form" isn't enough. You need the actual record.

Step 2: Build a compliant opt-in flow. Web form, keyword campaign, or paper sign-up sheet, the language has to clearly state that the person agrees to receive autodialed marketing texts from your company at the number provided, that message and data rates may apply, and that they can opt out anytime by replying STOP. Use double opt-in. See our sms opt-in form guide for language templates.

Step 3: Register your 10DLC number or short code. Do this before sending any A2P traffic. Your platform should handle it, but confirm.

Step 4: Scrub your list against the National DNC Registry within 31 days before each campaign.

Step 5: Set up automated opt-out processing. Your platform should treat STOP, UNSUBSCRIBE, CANCEL, END, and QUIT as standard opt-out keywords. Test it before you launch.

Step 6: Log everything. Consent records, send logs, opt-out logs, DNC scrubs. Keep it all for at least four years.

Step 7: Review your state exposure. If you text Florida, Washington, or Oklahoma numbers, read those state statutes specifically. The rules vary.

LeadCompliant's free compliance kit includes a TCPA consent language checklist and a record-keeping template you can adapt.

Frequently asked questions

Does TCPA apply to texts sent one at a time by a person, not a platform?

Maybe. TCPA's autodialer requirement is what usually creates liability for mass texts. If a person manually types and sends a single text from their own phone with no automated system involved, TCPA's autodialer provisions don't apply. But use any software platform to manage, schedule, or send texts at scale and you're likely using something courts or the FCC could classify as an autodialer. Facebook v. Duguid (2021) narrowed the definition, but the law stays unsettled.

Can I text someone who gave me their business card?

Under TCPA, no. Handing you a business card is not prior express written consent to receive marketing texts. It's permission to contact them for business purposes, not a signed agreement to autodialed marketing messages. If you want to text them, get explicit written consent first. Same in the EU under GDPR: a business card exchange doesn't meet the freely given, specific, informed consent standard for marketing communications.

What is the GDPR penalty for illegal SMS marketing?

Under Article 83(5) of the GDPR, violations of the consent provisions can bring fines up to €20 million or 4% of total worldwide annual turnover, whichever is higher. In practice, most SMS-related violations get handled at a lower tier or with corrective orders rather than maximum fines, but the ceiling is real. The Irish DPA fined Meta €1.2 billion in 2023 over separate violations, showing regulators will reach the top for serious cases.

What is a 10DLC registration and is it legally required?

10DLC (10-digit long code) registration is a carrier industry requirement, not a statute. The Campaign Registry (TCR) manages brand and campaign registration for businesses sending marketing texts through standard 10-digit numbers. Carriers started blocking unregistered A2P traffic in 2023. It's not a substitute for TCPA consent. You need both: legal consent from recipients and carrier registration for your number. Skip registration and your messages get blocked, not that you get sued.

The TCPA statute of limitations for private claims is four years under 28 U.S.C. § 1658. Keeping records at least four years after the last contact with any subscriber is a practical floor. For GDPR, there's no set retention period for consent records, but you must be able to demonstrate compliance on request and delete personal data once it's no longer needed. Many practitioners keep EU consent records for the length of the relationship plus three years.

Is SMS double opt-in required by law?

No US statute or FCC rule explicitly requires double opt-in (a confirmation message after someone subscribes). But it's the most practical way to prove consent if you're ever sued. Under GDPR, while not written as a strict requirement, EU data protection authorities generally expect the kind of unambiguous consent a double opt-in produces. Since TCPA puts the burden of proving consent on the defendant, double opt-in is close to essential as risk management.

Do I need to check the National Do Not Call Registry before sending marketing texts?

Yes, if your texts are part of a telemarketing campaign. The FTC's National DNC Registry applies to telemarketing text messages, not only calls. You must access an updated copy of the registry within 31 days before each campaign and scrub your list against it. Residential numbers on the DNC list can't receive telemarketing texts without the recipient's prior express invitation or permission. DNC violations can bring FTC enforcement and civil penalties.

What hours can I legally send marketing texts in the US?

The FTC's Telemarketing Sales Rule prohibits telemarketing contacts before 8 AM or after 9 PM in the recipient's local time zone. That covers marketing SMS. Some states run tighter windows. Florida uses the same hours but enforces them through its own statute with separate penalties. Calculate time zones from the recipient's area code, and accept that cell numbers are portable and sometimes no longer reflect the original location.

Does GDPR apply to US companies that text EU residents?

Yes. GDPR reaches beyond the EU under Article 3. If you target or monitor EU residents, GDPR applies regardless of where your company sits. A US company sending marketing texts to people in Germany or France is subject to GDPR for processing those individuals' phone numbers. You'd also need to comply with the ePrivacy Directive as implemented in the relevant member state. US businesses often miss this, assuming EU law only touches EU companies.

No. Under TCPA, consent must be specifically for autodialed marketing texts. Consent to receive emails doesn't extend to texts. The FCC requires the consumer's consent expressly agree to calls or texts by autodialer or prerecorded message. Under GDPR, consent must be specific to the purpose and the channel. If someone signed up for your email newsletter, they didn't consent to SMS marketing. You need a separate, channel-specific opt-in.

What must an SMS opt-out confirmation message include?

When someone replies STOP (or another opt-out keyword), carriers and the CTIA best practices expect one final confirmation message. It should confirm the opt-out, state that no further messages will be sent, and carry no marketing content. It can include a phone number or website to re-subscribe if they choose. After that single confirmation, you must stop all marketing messages to that number immediately. Sending another marketing message after an opt-out is a clear TCPA violation.

How is UK SMS marketing law different from EU GDPR after Brexit?

The UK kept GDPR in domestic law as the UK GDPR, running alongside the Data Protection Act 2018. The substantive consent requirements are nearly identical to EU GDPR. For SMS, the UK also has the Privacy and Electronic Communications Regulations 2003 (PECR), which mirrors the EU's ePrivacy Directive. One notable difference: UK rules allow a 'soft opt-in' for B2C SMS where there's an existing customer relationship and the message covers similar products or services. The EU ePrivacy Directive has no equivalent.

The FCC adopted a rule in December 2023 requiring that express written consent for marketing calls and texts identify a single seller, not a list of companies on a shared lead generation form. The rule was set to take effect in January 2025 but faces ongoing legal challenges as of mid-2025. If it survives, any SMS program relying on consent gathered through a lead form listing multiple companies would need rebuilding so each consumer consents specifically to your company. Monitor FCC dockets and litigation closely.

Is there a TCPA exemption for nonprofit or political text messages?

Political messages and nonprofit fundraising get treated differently in some FCC guidance. The FCC has held that calls by tax-exempt nonprofits for non-commercial purposes may fall outside the TCPA's residential calling restrictions. Political campaign texts have some protection under First Amendment arguments. But these exemptions are narrower and more contested than often claimed. Any text using an autodialer to cell phones still raises TCPA questions, and several class actions have targeted political campaigns. Get specific legal advice before assuming an exemption applies.

Sources

  1. FTC, National Do Not Call Registry: The National DNC Registry applies to telemarketing text messages and must be scrubbed within 31 days before each campaign.
  2. US Government Publishing Office, 47 U.S.C. § 227 (TCPA statutory text): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful or knowing violations.
  3. Department of Justice, United States v. Dish Network LLC settlement (2019): Dish Network settled a TCPA and TSR enforcement action for $280 million in 2019.
  4. EUR-Lex, Regulation (EU) 2016/679 (GDPR full text): GDPR Article 6 requires a lawful basis for processing personal data; Article 83(5) sets penalties up to €20M or 4% of global turnover.
  5. EUR-Lex, Directive 2002/58/EC (ePrivacy Directive): Article 13 of the ePrivacy Directive requires prior consent before sending unsolicited commercial communications by electronic means, including SMS.
  6. FTC, Telemarketing Sales Rule, 16 CFR Part 310: The FTC's Telemarketing Sales Rule prohibits telemarketing contacts before 8 AM or after 9 PM in the recipient's local time zone.
  7. The Campaign Registry (TCR), 10DLC brand and campaign registration: All US carriers require businesses sending A2P SMS through 10-digit numbers to register their brand and campaign through The Campaign Registry.
  8. US Government Publishing Office, 28 U.S.C. § 1658 (catch-all statute of limitations): The TCPA statute of limitations for private claims is four years under 28 U.S.C. § 1658.
  9. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held in 2021 that an autodialer must use a random or sequential number generator, narrowing the TCPA's autodialer definition.
  10. European Data Protection Board, Guidelines 05/2020 on consent under GDPR: EDPB guidelines state that consent must be freely given, specific, informed, and unambiguous; pre-ticked boxes do not constitute valid consent.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit