SMS marketing compliance: TCPA, CTIA guidelines, and avoiding spam filters

TCPA fines hit $500, $1,500 per text. Learn the exact consent rules, CTIA guidelines, and spam-filter tricks that keep your SMS campaigns legal and delivered.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-11

Hands holding smartphone on wooden desk with soft afternoon light for SMS marketing compliance
Hands holding smartphone on wooden desk with soft afternoon light for SMS marketing compliance

TL;DR

SMS marketing compliance means getting prior express written consent before you send a promotional text, following CTIA carrier guidelines on message content and opt-outs, and avoiding words and sending patterns that trip spam filters. TCPA violations cost $500 to $1,500 per message. Most failures trace back to weak opt-in records, missed opt-out keywords, and unregistered sender numbers.

What laws and rules actually govern SMS marketing?

Three overlapping layers control what you can and cannot do with a marketing text. Two of them are legal. One is contractual. All three can shut you down.

The first is federal statute. The Telephone Consumer Protection Act, 47 U.S.C. § 227, is the main law. It restricts autodialed calls and texts to cell phones without prior express consent. The FCC writes the implementing rules at 47 C.F.R. Part 64. A 2012 FCC order tightened the standard for marketing messages, requiring "prior express written consent" instead of the older oral-consent standard [1].

The second layer is the CTIA guidelines. CTIA is the wireless industry trade group, and it publishes the Messaging Principles and Best Practices. Carriers like T-Mobile, Verizon, and AT&T enforce those guidelines contractually, down through the aggregators and SMS platforms you use. Break them and you do not get sued. You get blocked, or your number gets suspended. That makes CTIA rules as dangerous to your operation as the TCPA is to your bank account [2].

The third layer is state law. California's Automatic Renewal Law, Florida's FTSA (which adds a private right of action for texts sent by a system with the capacity to text a list), and other state statutes stack requirements on top of the federal ones. Florida's 2023 amendments narrowed the FTSA's reach, but the statute still bites if you text Florida consumers [3].

For most small outbound teams, the TCPA and CTIA guidelines are the main event. Get those two right and state compliance usually follows, though checking your specific target states is still worth the hour. See our deeper breakdown at tcpa sms compliance.

The written consent standard is stricter than most people expect. The FCC's 2012 order defined prior express written consent as an agreement that is signed (electronic signatures count), names who will be contacting the person, and states clearly that the person agrees to receive autodialed or prerecorded calls or texts. The agreement cannot make consent a condition of buying anything [1].

What that rules out: a checkbox on a purchase form that says "I agree to terms and conditions." That does not work. You need a standalone disclosure that reads something like: "By checking this box, you consent to receive recurring promotional text messages from [Company Name] at the number you provide. Message and data rates may apply. Reply STOP to opt out." [2]

The word "written" includes electronic signatures under the E-SIGN Act, 15 U.S.C. § 7001. A typed name in a web form qualifies. A recorded verbal statement does not, at least not for promotional texts [11].

Consent attaches to the specific number the consumer gives you. Change the number and the consent does not travel with it. Consent is also revocable at any time, and the consumer owes you no reason. The FCC's 2023 order confirmed that consumers can revoke consent "through any reasonable means," not only by replying STOP [4].

Keep the record: timestamp, IP address, the exact disclosure language shown, the form URL. You will want every field of it if a TCPA claim lands in your inbox. Our guide on sms opt in requirements covers what that record needs to contain.

How do CTIA guidelines differ from the TCPA, and why do both matter?

The TCPA is a law, enforced by the FCC and by private plaintiffs in court. CTIA guidelines are industry rules, enforced by carriers on their own networks. Both can end your program.

CTIA's Messaging Principles and Best Practices cover ground the TCPA does not touch directly: required message elements, opt-out keyword handling, HELP keyword handling, frequency disclosures, and banned content. CTIA prohibits texts promoting cannabis, firearms, payday loans, and high-risk financial services regardless of consent [2].

Carriers filter all commercial SMS traffic automatically. Texts sent through 10DLC (10-digit long code) numbers now have to be registered through The Campaign Registry. Unregistered traffic gets filtered. As of 2023, every major U.S. carrier requires 10DLC registration for application-to-person (A2P) business texting on long codes [5].

Short codes (5 to 6 digit numbers) run through a separate provisioning process and usually get higher throughput and better deliverability. They also cost more. Toll-free numbers used for SMS need their own toll-free verification.

Here is the split worth memorizing. TCPA compliance keeps you out of court. CTIA compliance keeps your messages from getting blocked before anyone reads them. You need both, and they are not the same checklist.

What are the TCPA penalties for non-compliant text messages?

The TCPA sets statutory damages at $500 per violation, meaning per text, and treble damages of $1,500 per violation when the conduct is willful or knowing [6]. There is no cap on aggregate damages in a class action.

The math turns ugly fast. A campaign that sends 10,000 texts without proper consent exposes you to $5 million at the base rate, $15 million if a court finds the conduct willful. Courts have certified class actions on facts exactly like that. Facebook settled a TCPA class action for $650 million in 2021, though that case turned on its own specific facts [7].

For small teams, the more common event is a demand letter claiming a handful of violations. Those often settle for $5,000 to $50,000. The plaintiff's bar files these fast and files them well. Some individuals collect dozens of settlements a year by handing their cell number to businesses and logging every text that follows.

The FCC can bring its own enforcement actions too, with per-violation fines that adjust for inflation each year. Private litigation is far more common in practice.

One number worth knowing: federal TCPA filings have run north of 4,000 cases a year in recent years, according to PACER data tracked by law firms covering the docket. Nobody publishes a fully reliable annual count. The volume has stayed high even after the Supreme Court narrowed the autodialer definition in Facebook v. Duguid in 2021 [8].

TCPA statutory damages per violation type Per-text exposure based on 47 U.S.C. § 227(b)(3) Standard violation (per text) $500 Willful/knowing violation (per te… $1,500 10,000-text campaign, standard ra… $5M 10,000-text campaign, willful rate $15M Source: 47 U.S.C. § 227(b)(3), U.S. Congress

What must every compliant marketing text message include?

CTIA guidelines plus common practice produce a short list of required and strongly recommended elements. Not every text carries all of them. The enrollment message does.

Required or strongly expected on ongoing messages:

  • Clear sender identification (who is texting)
  • The nature of the message if it is part of a recurring program
  • An opt-out mechanism (STOP is the industry-standard keyword, and carriers enforce it)
  • A HELP response pointing to contact information or a support URL

At program enrollment (the initial opt-in confirmation), CTIA says you must include: 1. Business name 2. Program description 3. Message frequency ("Msg frequency varies" or "Up to 4 msgs/month") 4. "Msg & data rates may apply" 5. Opt-out instructions (STOP to cancel) 6. Help instructions (HELP for help) 7. Link to privacy policy and terms of service [2]

The onboarding confirmation message, the one that fires the second someone opts in, needs all seven. After that, each message should carry a business identifier and a STOP reminder at minimum.

Some platforms let you drop the STOP reminder into every third or fourth message rather than every single one. That practice is generally accepted. Including it every time is safer. Our sms opt-in form guide covers how to structure the enrollment experience so it meets these requirements from the first send.

How do you handle opt-outs, and what happens if you miss one?

When someone texts STOP, CANCEL, END, QUIT, or UNSUBSCRIBE, you stop sending marketing texts to that number immediately. The industry-standard reply is a single confirmation: "You have been unsubscribed and will receive no further messages from [Company]. Reply START to resubscribe." That one confirmation is allowed after an opt-out. Any further marketing text is not [2].

The FCC's October 2023 order went further. It confirmed that consumers can revoke consent "through any reasonable means," more than SMS keywords. If someone emails you to stop the texts, or tells your rep to stop during a phone call, you have to honor it. The order gives covered entities a reasonable window (generally read as within 10 business days) to process non-standard revocations. The obligation is real either way [4].

Missing an opt-out is one of the most common ways plaintiffs manufacture claims. The pattern is almost always the same. Person opts out. They get removed from the main list. A separate campaign list or a manual follow-up sequence never gets the memo. Three texts later, you are holding three violations worth $500 to $1,500 each.

What you need is one suppression list that every list and every campaign checks before it sends. If you run multiple SMS platforms, or a mix of platforms and manual texting, each one has to reference the same suppression list. Unglamorous work. It is also the line between a clean operation and a lawsuit.

What sending patterns and content trigger carrier spam filters?

Carrier filtering is the other way an SMS program dies, and it is separate from your legal risk. Messages that look like spam get blocked before delivery, and the sending number can get flagged or suspended.

Content that gets texts filtered or blocked:

  • Words carriers tie to fraud and high-risk offers: "free," "winner," "cash prize," plus urgency like "Act now" paired with a financial promise
  • URLs that are unregistered, use link shorteners with bad reputations (bit.ly gets filtered heavily on some carriers), or redirect to prohibited content
  • Identical messages fired at large lists with no personalization signal
  • Cannabis, gambling, firearms, and payday loan content, opt-in or not [2]

Sending behavior that trips filters:

  • High send velocity from a single 10DLC number (long codes cap around 75 messages per minute in most setups)
  • A sudden volume spike from a number that was quiet last week
  • High opt-out rates on prior messages (carriers read that as unwanted traffic)
  • High undeliverable rates

For 10DLC traffic, registration through The Campaign Registry is your main defense against blanket filtering. A registered campaign with a verified use case earns a trust score that affects throughput and deliverability [5]. Toll-free verification does the same job for toll-free numbers.

A reputable marketing text message service handles most of the registration mechanics for you. The content and the sending cadence are still your call.

What is 10DLC registration and do you actually need it?

10DLC stands for 10-digit long code. These are ordinary-looking phone numbers, the kind with a local area code, used for business texting. Before 2021, businesses sent SMS from 10DLC numbers with almost no oversight. That ended when carriers, through CTIA and The Campaign Registry (TCR), required registration for A2P business traffic [5].

If you send business texts from a local 10-digit number through any software platform, you almost certainly need 10DLC registration. The process has two parts. Brand registration verifies your business entity with TCR and runs roughly $4 to $10 one time. Campaign registration describes the use case for your messages and runs roughly $10 to $15 per month per campaign [5].

Unregistered 10DLC traffic gets filtered hard by major carriers. Some messages still slip through, but deliverability drops, and the enforcement has tightened over time, not loosened.

Short codes skip 10DLC registration but carry their own provisioning process through carriers. They take 8 to 12 weeks to set up and cost $500 to $1,000 or more per month. For high-volume marketing, short codes can pay off. For smaller teams sending under a few thousand messages a month, 10DLC is the practical path.

Toll-free numbers used for SMS need toll-free verification, a separate process again. Most major SMS platforms handle all three registration types. If yours does not, that is a red flag. See our comparison of text message marketing software for what to look for in a platform.

What does a compliant SMS opt-in flow look like from start to finish?

A compliant opt-in flow has four stages: the pre-opt-in disclosure, the consent capture, the confirmation message, and ongoing list management. Skip any one and the whole thing gets shaky.

Stage 1: Pre-opt-in disclosure. Before anyone hands over a number, they see every required disclosure. This usually sits next to the phone number field on a form, or in the keyword opt-in prompt. The disclosure names your business, describes the program, states frequency, says "Msg & data rates may apply," and gives opt-out and help instructions. It cannot hide inside terms and conditions that require a separate click. It has to be right there, next to the consent mechanism [1][2].

Stage 2: Consent capture. The person takes an affirmative action: checks an unchecked box, texts a keyword to a short code, or submits a form. Pre-checked boxes do not count as consent under the FCC's reading. The action has to be unambiguous and voluntary.

Stage 3: Confirmation message. Within seconds of opt-in, an automated message goes out confirming enrollment. It carries all seven CTIA-required elements, confirms the number is enrolled, and repeats the opt-out instruction. This is mandatory for keyword opt-ins (texting JOIN to your number) and strongly recommended for form-based opt-ins.

Stage 4: List management. Store the number with a timestamp, source, and the exact disclosure language shown. Every outgoing campaign checks against your suppression list. Opt-outs update that list in real time.

For high-stakes programs, some teams add a double opt-in step. After the initial confirmation, they send a second message asking the person to reply YES. Not required by law. It creates an extra record of intent and cuts down on fraudulent or fat-fingered numbers. Our sms double opt in article covers when the tradeoff in list size is worth it.

LeadCompliant's free compliance kit includes a consent language template and an opt-in checklist you can adapt for your program without starting from a blank page.

What are the rules on texting times and message frequency?

The TCPA does not name permitted texting hours for SMS the way some state do-not-call laws name calling hours. But FCC guidance and CTIA best practices both point to 8 a.m. to 9 p.m. in the recipient's local time as the expected window [1][2].

"Local time" means their time zone, not yours. In California texting someone in Florida, 7 a.m. Pacific is 10 a.m. Eastern for them. Fine. Send at 8 p.m. Pacific and you hit a Florida recipient at 11 p.m. Not fine. That is the exact error automated campaigns love to multiply across a list.

Frequency disclosures have to be accurate. Say "up to 4 messages per month" and then send 12, and you have a problem on two fronts: CTIA compliance and the consumer's expectation argument in a TCPA suit. Frequency creep during promotions is a classic mistake.

No hard federal cap exists on how many texts you can send a consented subscriber. Common sense still applies. High opt-out rates from over-messaging feed straight back into carrier spam filters, and the argument that a consumer was harassed despite opting in has surfaced in litigation.

Can you text numbers from purchased lists or scraped data?

No. Full stop.

The TCPA requires consent from the individual consumer, tied to the specific number, for a specific sender. A purchased list of cell numbers does not come with TCPA consent. Whatever consent the original collector gathered, if any, generally does not transfer to a third-party marketer under the FCC's current reading [1].

The FCC's January 2024 one-to-one consent ruling (vacated by the 11th Circuit in January 2025 on procedural grounds) tried to require consent that names each seller individually. That ruling is not in effect. It still tells you the direction of travel: the agency has been tightening how transferable consent can be, not loosening it [9].

Scraping phone numbers from websites, social profiles, or directories and texting them is both a TCPA violation and a near-certain path to carrier suspension. Those numbers carry no consent, and the sending pattern looks identical to a spam operation, because that is what it is.

Compliant outbound texting means you capture consent inside your own funnel: web forms, keyword opt-ins, or inbound call flows where the person agrees. If your lead generation compliance process runs on bought lists, SMS is the wrong channel until you rebuild the consent architecture from scratch.

How do you build a compliance record that actually holds up?

The record you need answers one question: prove this person consented to receive texts from you, at this number, on this date.

That takes: 1. Timestamp of consent, in UTC or a local time with the zone noted 2. IP address of the submission 3. URL of the form, or the keyword used 4. The exact disclosure language shown at the time (screenshot or version-controlled copy) 5. The phone number as submitted 6. Any double opt-in confirmation, if you used one

Saved screenshots alone are not reliable. The record needs to live in a database, be exportable, and tie to the contact record. Most compliant SMS platforms capture some of this automatically. "Some" is not enough. Check what your platform stores and fill the gaps yourself.

Keep consent records at least four years. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658 [12]. Some practitioners keep records longer for high-volume programs.

Get a demand letter and the first question your attorney asks is whether you have the consent record. If the answer is no, your position weakens badly, whether or not you actually had consent at the time. The record is the proof. Without it, you are arguing from memory against a plaintiff holding phone records.

LeadCompliant's free consent record checklist (at leadcompliant.com) walks each required field and shows where most platforms fall short on automatic capture.

Frequently asked questions

Does the TCPA apply to text messages or just phone calls?

Yes, the TCPA applies to text messages. The FCC confirmed this in a 2003 ruling and has reaffirmed it since. Under 47 U.S.C. § 227, the statute covers calls made with an automatic telephone dialing system, and texts sent via software platforms to cell phones fall inside that definition. The same prior express written consent requirement for promotional calls applies to promotional texts.

What is the CTIA and why do their guidelines matter for SMS marketing?

CTIA is the trade association for U.S. wireless carriers. Its Messaging Principles and Best Practices set the content and operational standards carriers like AT&T, Verizon, and T-Mobile enforce on SMS traffic. Break CTIA guidelines and you will not get sued, but your messages get filtered or your number gets suspended by the carrier. In practice, CTIA compliance matters as much to your operation as TCPA compliance does.

How much does it cost to register for 10DLC?

Brand registration with The Campaign Registry runs roughly $4 to $10 as a one-time fee. Campaign registration runs about $10 to $15 per month per use case. SMS platforms usually pass these fees through. Unregistered 10DLC traffic gets filtered by major carriers, which makes registration effectively mandatory for any A2P business texting on long-code numbers as of 2023.

Can I text someone who gave me their number on a business card?

Probably not for marketing. A business card gives you a number, not TCPA prior express written consent for promotional texts. In B2B contexts where you text about a direct business transaction, the consent rules differ and some exceptions may apply. For any marketing or promotional content, you need explicit written consent that meets the FCC's standard, no matter how you got the number.

What words should I avoid to prevent my texts from being filtered as spam?

Carriers filter phrases common in fraud and high-risk marketing: "free prize," "you won," "cash reward," "act now," "guaranteed income," and similar urgency or prize language. Avoid unregistered short URLs and bit.ly links. Cannabis, gambling, payday loan, and firearms content gets filtered regardless of opt-in status under CTIA guidelines. Identical mass-blasted messages with no personalization also score poorly with carrier algorithms.

What is the difference between a short code, 10DLC, and toll-free number for SMS?

Short codes are 5 to 6 digit numbers provisioned directly with carriers for high-volume sending. They cost $500 to $1,000-plus per month and take 8 to 12 weeks to provision. 10DLC numbers are standard 10-digit local numbers registered through The Campaign Registry for business use. Toll-free numbers (8xx) can also send SMS but need separate toll-free verification. Each carries different throughput limits, costs, and carrier trust levels.

How quickly must I honor an opt-out request?

STOP keyword opt-outs should process immediately, within the same sending session or within seconds via automation. The FCC's 2023 order confirmed that consumers can revoke consent through any reasonable means, not only SMS keywords. For non-standard revocations (email or verbal request), the FCC allows a reasonable processing period, generally read as within 10 business days. Any marketing text after a clear opt-out creates a TCPA violation.

Is double opt-in required for SMS marketing?

No. Double opt-in (sending a confirmation and requiring a reply YES before enrolling someone) is not required by the TCPA or CTIA guidelines for most use cases. It is a best practice that builds a stronger consent record and filters out mistyped numbers. Some high-risk industries and high-volume programs benefit from it. The tradeoff is list size: double opt-in typically cuts enrollment by 15 to 30%. See our sms double opt in guide for the details.

The FCC issued a one-to-one consent rule in late 2023 that would have required consent to name each individual seller or marketer, killing the broad consent forms lead generators rely on. The 11th Circuit vacated that rule in January 2025 on procedural grounds, finding the FCC had exceeded its statutory authority. As of mid-2025 the rule is not in effect, but the FCC's intent to tighten consent transferability remains a live regulatory risk.

Not entirely. The TCPA applies to cell phone numbers no matter whether the owner uses the number for business. If a business contact's number is a personal cell, TCPA consent rules apply. The main B2B carve-out covers texts sent to a number registered to a business line rather than an individual consumer. Most B2B prospects use cell phones, so the safer default treats all outbound SMS as needing TCPA-compliant consent unless you have confirmed the number is a business landline or VoIP line.

What should the opt-out confirmation message say?

CTIA's standard is one confirmation: something like "You have been unsubscribed from [Company Name] texts. No further messages will be sent. Reply START to resubscribe." That single message is permitted after an opt-out. Include no promotional content in it. After it sends, the number goes onto your suppression list before any future campaign runs. Keep the message under 160 characters to avoid multi-part SMS billing issues.

At minimum, four years. The TCPA's statute of limitations is four years under 28 U.S.C. § 1658, so you need records covering active and recently inactive subscribers within that window. Some compliance practitioners keep five to six years for high-volume programs where litigation risk runs higher. The record should include the timestamp, IP address, disclosure language shown, form URL, and the phone number as entered at consent.

Does the TCPA apply if I'm texting from my personal phone manually?

Manual texting from a personal phone to a single number does not use an autodialer and generally falls outside the TCPA's technical restrictions on autodialers. But this is a narrow exception. Use any software to text a list, even a small one, and autodialer analysis applies. After the Supreme Court's 2021 Facebook v. Duguid decision narrowed the autodialer definition, some manual-style texting platforms argue they are not autodialers. That remains contested in litigation and varies by platform design.

What is the Facebook v. Duguid decision and how did it change TCPA compliance?

In Facebook v. Duguid (2021), the Supreme Court held that an autodialer under the TCPA must have the capacity to generate phone numbers using a random or sequential number generator. That narrowed the definition sharply, excluding systems that simply send to a stored list. Many modern SMS platforms argue they no longer qualify as autodialers. TCPA liability from other angles (consent, revocation, content) stayed unchanged, and some states use their own broader definitions.

Sources

  1. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059 F.S.: Florida's FTSA creates a state private right of action for certain automated outbound text communications and was amended in 2023
  2. The Campaign Registry (TCR), 10DLC Registration Overview: 10DLC brand registration costs approximately $4-$10 one-time and campaign registration costs approximately $10-$15 per month; unregistered A2P traffic on long codes is filtered by major carriers
  3. U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227(b)(3): TCPA provides statutory damages of $500 per violation and up to $1,500 per willful or knowing violation
  4. U.S. District Court, N.D. Cal., Patel v. Facebook, No. 3:15-cv-03747 (2021 settlement): Facebook settled a TCPA-related class action for $650 million in 2021, illustrating aggregate exposure in TCPA class actions
  5. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an autodialer under the TCPA must have the capacity to generate numbers using a random or sequential number generator, narrowing the prior broader definition
  6. U.S. Court of Appeals, 11th Circuit, Insurance Marketing Coalition v. FCC, No. 24-10277 (2025): 11th Circuit vacated the FCC's one-to-one consent rule in January 2025, finding the agency exceeded its statutory authority; the rule is not currently in effect
  7. U.S. Congress, Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. § 7001: E-SIGN Act establishes that electronic signatures satisfy written signature requirements under federal law, making typed form submissions valid as written consent under TCPA
  8. U.S. Congress, 28 U.S.C. § 1658, statute of limitations for federal claims: Four-year statute of limitations applies to TCPA claims filed in federal court under 28 U.S.C. § 1658

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit