Last updated 2026-07-09

TL;DR
To legally send marketing texts in the US, you need prior express written consent from each recipient, a clear opt-out path, compliant message disclosures, and adherence to TCPA calling-hour restrictions. The FCC's 2024 one-to-one consent rule took effect January 27, 2025. Each violation costs $500 to $1,500. This guide covers all four layers: the statute, FCC orders, CTIA guidelines, and state add-ons.
What laws actually govern SMS marketing in the US?
Four layers of law stack on top of each other, and you have to satisfy all of them. Miss one and you're exposed on that one, no matter how clean the others are.
The Telephone Consumer Protection Act of 1991, codified at 47 U.S.C. § 227, is the federal floor [1]. It restricts any call or text made with an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to a wireless number without the called party's prior express consent. The FCC has rulemaking authority under TCPA and has issued several major orders over the decades that tighten or clarify what that consent has to look like.
The second layer is the FCC's implementing regulations at 47 C.F.R. Part 64, Subpart L [9]. These rules translate the statute into operational requirements: the consent standard, the required disclosures, revocation rights, and the tightened one-to-one consent mandate that went live on January 27, 2025 [2].
The third layer is CTIA's Messaging Principles and Best Practices. CTIA is the trade association for the wireless industry, and its guidelines get enforced by mobile carriers who can block or filter your traffic if you don't follow them [3]. CTIA violations don't come with a private right of action the way TCPA does. But getting your short code suspended or your 10DLC campaign delisted hurts just as much in practice, because your messages simply stop arriving.
The fourth layer is state law. Several states have passed their own texting and privacy statutes that add consent, disclosure, and data-handling requirements past the federal baseline. Florida, Oklahoma, and Washington are the ones most relevant to outbound SMS marketers right now. We cover those in the state-law section below.
For a full breakdown of the statute itself, see our guide to tcpa.
What does TCPA require for SMS marketing consent?
The consent standard depends on the type of message you're sending. Informational texts need less. Marketing texts need the strict version.
For purely informational texts, TCPA requires only prior express consent, which can be oral or written. For marketing texts, the standard is prior express written consent. The FCC defines this in 47 C.F.R. § 64.1200(f)(9): a written agreement, signed by the consumer, that clearly and conspicuously authorizes the seller to deliver marketing messages using an ATDS or prerecorded voice to the number provided [9].
"Signed" here includes electronic signatures. An opt-in checkbox on a web form, a reply-Y text confirmation, or a signature on a physical form all qualify, as long as the agreement is not a condition of purchase. That last part matters. You cannot make consent to marketing texts a prerequisite for buying your product or service.
The written consent has to name the specific seller. Before January 2025, it was common to get one consent that covered a broad lead-generation network, essentially letting dozens of companies use a single opt-in. The FCC's 2024 Report and Order (FCC 23-107) closed that loophole [2]. Since January 27, 2025, each marketing text sender must be individually and specifically identified in the consent agreement. A blanket "marketing partners" disclosure no longer satisfies the rule.
Bought leads or shared opt-in consent from a third-party lead generator? Audit those records now. Consent obtained before January 27, 2025 under the old multi-seller standard is grandfathered only if it otherwise met the written-consent requirements in place at the time. Every new consent record has to name you specifically.
For a closer look at what a compliant opt-in form looks like, the sms opt-in form guide has templates and required disclosure language.
What changed with the FCC's one-to-one consent rule in 2025?
The FCC's December 2023 Report and Order (FCC 23-107) is the biggest TCPA change in a decade [2]. It does two things that hit outbound SMS operations directly.
First, it requires one-to-one consent. Each marketing text campaign has to be authorized by consent that names only that one seller. You can no longer use a single lead-form consent to serve fifty different buyers. This kills the traditional lead-gen aggregator model unless every downstream buyer collects their own consent directly.
Second, it requires that the consent be "logically and topically associated" with the website where it was obtained. Someone fills out a form on a mortgage comparison site, you can't turn around and text them about auto insurance, even if the same company owns both verticals.
The effective date for the one-to-one requirement was January 27, 2025 [2]. The FCC gave a brief implementation window, and that window is closed. If you're still running SMS campaigns on aggregated consent obtained after January 27, 2025 without individual seller identification, you're already out of compliance.
For real estate teams working off third-party leads, this is especially sharp. A lead from Zillow, Realtor.com, or a home valuation tool carries consent from that platform's terms, not yours. You need your own consent touchpoint. See our real estate text message marketing guide for how operators are rebuilding their workflows around this.
Our tcpa news today feed tracks new FCC orders and court decisions on this rule as they land.
What are the CTIA guidelines for SMS marketing in 2025?
CTIA's Messaging Principles and Best Practices set operational requirements that carriers enforce at the network level [3]. Break them and your messages get filtered or your campaign gets suspended. No lawsuit needed. The carrier just stops delivering.
Here are the core CTIA requirements every SMS marketing program has to meet:
Opt-in disclosure at the point of consent. The opt-in message or form must state the program name, that message and data rates may apply, the expected message frequency, a link to your privacy policy and terms of service, and how to opt out (STOP) and get help (HELP).
Confirmation message. After someone opts in, send a single confirmation text that restates the program name, confirms enrollment, reminds them of message frequency, states "Msg & data rates may apply," and gives STOP and HELP instructions. This message must carry no marketing content.
STOP handling. Any message containing STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT has to trigger an immediate opt-out. Your system confirms the opt-out in a final text and then ceases all further marketing messages to that number. You cannot make opt-out conditional on any action.
HELP response. Texting HELP must return the program name, a customer service contact (phone or email), and opt-out instructions.
Prohibited content. CTIA and carriers run a SHAFT-plus framework: Sex/explicit content, Hate speech, Alcohol (without age-gating), Firearms (without legal compliance), Tobacco/cannabis (without legal compliance), plus phishing, illegal drugs, and loan fraud. Send any of these through shared short codes or 10DLC and the campaign gets blocked.
10DLC registration. Since 2021, all application-to-person (A2P) SMS sent via long codes in the US has to be registered through The Campaign Registry (TCR). You register your brand and each campaign type. Unregistered traffic gets filtered by every major carrier [4].
For a full walkthrough of building a compliant program, the tcpa sms compliance guide covers campaign registration and carrier policies in detail.
What disclosures are required in the opt-in and in messages?
Disclosures live in two places: at the point of consent collection, and in the messages themselves. Both matter, and courts look at both.
At opt-in, whether that's a web form, a paper form, a keyword campaign, or a QR code, all of the following has to be visible before the consumer submits:
- Identity of the sender (your company name, specifically)
- Description of the message program (what you're going to send)
- That consent is not required to make a purchase
- Message frequency or an honest estimate ("up to 4 messages/month")
- "Msg & data rates may apply"
- Link to terms of service
- Link to privacy policy
- How to opt out
Collecting consent via a checkbox on a web form? The disclosure text has to sit directly next to the checkbox, not buried in a scroll-away terms block. The FTC's guidance on online disclosures (the ".com Disclosures" document) is instructive here even though it isn't TCPA-specific [5]. Its core principle: a disclosure has to be clear, conspicuous, and close to the claim or action it relates to.
In messages, the first marketing message after opt-in should restate who you are, especially if there's any gap between opt-in and first contact. Every message needs a clear opt-out reminder, though CTIA lets you put the full reminder in the confirmation message and then repeat it periodically (at least once a month for recurring programs) rather than in every single text.
The FCC's rules under TCPA require that any call or text include the identity of the business, individual, or other entity that initiated the contact [9]. A message that just says "Hey, your quote is ready, click here" with no sender identification violates that requirement.
See our sms opt-in guide for exact language samples that satisfy both FCC and CTIA requirements.
What are the TCPA penalties for illegal SMS marketing?
The numbers are real and they stack fast. This is the section that keeps compliance owners up at night, and it should.
TCPA gives consumers a private right of action. Any person who receives a text in violation of the statute can sue and recover $500 per violation [1]. If the court finds the violation was willful or knowing, it may treble damages to $1,500 per text message [1].
There's no cap per plaintiff in the statute. There's also no requirement to prove actual harm. The receipt of an unlawful text is itself the injury. That's why TCPA class actions are so common and so expensive. A single SMS campaign sent to 100,000 people without proper consent is a potential $50 million to $150 million exposure before attorney fees.
The FCC can bring enforcement actions separately. Its forfeitures against robocallers and text spammers have reached into the millions of dollars per company in individual administrative proceedings [11].
State attorneys general can bring parens patriae actions under 47 U.S.C. § 227(g) on behalf of state residents, and several states have done exactly that over the past few years.
The litigation environment for SMS is, bluntly, hostile to senders right now. Law firms actively recruit TCPA plaintiffs. A single employee using a personal cell number to reply to a cold text your company sent can generate a viable claim if the consent record is missing or defective. See the penalties and lawsuits hub for recent case outcomes.
For the penalty landscape in chart form, see the data table below.
What are the rules on texting times and frequency?
TCPA sets an 8 a.m. to 9 p.m. local-time window for telephone solicitations, and carriers plus CTIA apply that same window to marketing texts [1]. Send outside it and you take on both regulatory and reputational risk. Frequency is governed by what you disclosed at opt-in, not by any federal cap.
The statute says "calls," but the FCC has applied the quiet-hours principle to texts through staff guidance and enforcement letters, and CTIA's guidelines fold it in directly [3]. The practical risk of firing off a message at 2 a.m. is real on both fronts: complaints spike, and complaints drag down your 10DLC campaign standing. Some state laws extend the quiet-hours rule to texts explicitly. Florida's Mini-TCPA mirrors the federal time window [6].
On frequency, there is no federal statutory limit on how many messages you can send a consented subscriber. The limit is whatever you disclosed at opt-in. If your consent form said "up to 4 messages per month" and you send 20, you have a disclosure problem and arguably a deception problem. Courts have treated frequency as evidence of willfulness in TCPA cases, which is how you get bumped from the $500 tier to the $1,500 tier.
For high-frequency programs (daily texts, flash-sale blasts), some brands run sms double opt-in to build a cleaner consent record and cut dispute risk. It adds friction. It also adds defensibility, and in a deposition that trade is usually worth it.
Which state laws add requirements beyond TCPA for SMS marketing?
Several states have passed laws that either parallel TCPA with different thresholds or add requirements the federal law never touches. If your list skews toward any of these states, the state rule can be the one that sinks you.
Florida (FTSA). Florida's Telephone Solicitation Act was amended in 2021 to create a state analog to TCPA with some harsher provisions. It applies to any "telephonic sales call" using an automated system, which courts have read to include texts. Florida's statute does not require proof of ATDS use under the federal definition; it targets automation more broadly. Statutory damages run $500 per call or text, with trebling available for willful violations. Florida residents have filed a large volume of SMS class actions under this law since 2021 [6].
Oklahoma. Oklahoma's Telephone Solicitation Act (amended in 2022) expanded coverage to texts and created a private right of action. It also set up a state-level DNC registry that overlaps with the federal list.
Washington. Washington's Commercial Electronic Mail Act and its Consumer Protection Act have both been used in SMS cases, particularly ones involving misleading sender identification.
California. California has no direct TCPA analog for SMS, but the California Consumer Privacy Act (CCPA/CPRA) creates data-handling obligations for any personal data, phone numbers included. You have to disclose that you collect phone numbers, why, and the right to opt out of sale or sharing [7].
Texas. Texas Business & Commerce Code Chapter 305 covers automated telephone calls including texts, and mirrors much of TCPA.
List heavy on Florida, Oklahoma, or Texas residents? Talk to an attorney about state-specific consent language and opt-out handling. This is one area where the gap between the federal minimum and the state requirement is big enough to move your damages exposure.
How do you build a compliant SMS opt-in process from scratch?
Here's how a compliant opt-in process actually runs, built to satisfy the TCPA written-consent standard, CTIA guidelines, and the 2025 one-to-one consent rule at the same time.
Step 1: Design the consent capture point. Web form, paper form, keyword campaign (text JOIN to 12345), or QR code, the consent has to name your company specifically. On a web form, the opt-in language sits next to the submission button or checkbox, not hidden in linked terms. The language needs every required element: program name, sender identity, estimated frequency, data-rates notice, privacy policy link, terms link, and opt-out/help instructions. The checkbox cannot be pre-checked.
Step 2: Send the confirmation message. Right after opt-in, send one confirmation text. No marketing content. Just the program name, confirmation of enrollment, frequency reminder, "Msg & data rates may apply," STOP to unsubscribe, HELP for help. This is the CTIA-required confirmation. It's not the same as a full double opt-in that requires a second affirmative reply (that step is optional, but stronger defensively).
Step 3: Store the consent record. Log the timestamp, IP address or device ID, phone number, the exact consent language shown, and the source of the opt-in. You need to prove this in discovery. Defendants lose here constantly: the consent was real, but the record was gone.
Step 4: Honor opt-outs immediately. Your platform has to process STOP and its variants without delay. CAN-SPAM sets a 10-business-day standard that courts sometimes apply by analogy, but immediate suppression is the only defensible practice. Confirm the opt-out with one final text.
Step 5: Audit regularly. Check that consent records match your active send list. Screen new leads from any third-party source to confirm they meet the post-January 2025 one-to-one standard before you text them.
Want a ready-made audit checklist? LeadCompliant's free compliance kit has a consent-record template and a pre-send checklist that covers every item above.
For platform-level setup, our text message marketing software guide reviews the tools that handle 10DLC registration, STOP processing, and consent logging automatically.
Does TCPA apply to B2B SMS marketing?
Mostly yes, with a couple of narrow exceptions. That's the honest answer, and it surprises a lot of sales managers who assume business-to-business texting is a free zone.
TCPA applies to calls and texts to wireless numbers, period. It draws no line between consumers and businesses. If your rep texts the cell phone of a procurement manager at a Fortune 500 company without consent, that's a TCPA-covered communication [1].
There's a theoretical exception for an established business relationship (EBR), but it's much narrower than people think. An EBR can stand in for prior express consent only for non-marketing informational messages. For marketing texts, you need prior express written consent even in a B2B context.
The one spot where B2B gets slightly more room: a text sent to a business landline rather than a wireless number. Landlines can't receive SMS, so the analysis changes. But in 2025, almost every business contact you have is a cell phone, which puts you right back under the full rule.
For B2B lead generation workflows specifically, see our b2b lead generation platforms gdpr compliance guide, which covers both US and EU consent requirements when you're working international business lists.
The takeaway: run an outbound B2B SMS sequence and you need documented consent every bit as much as a consumer brand does. The damages exposure is identical. TCPA class actions against B2B sellers have been filed and settled for real money.
What are the 10DLC registration requirements for SMS in 2025?
10DLC (10-digit long code) is the backbone of A2P SMS in the US since 2021. Every marketing text sent from a standard 10-digit number has to be registered through The Campaign Registry (TCR) before it will reliably reach recipients [4].
Registration has two parts. First, you register your brand: company name, EIN, address, vertical, contact info. Second, you register each campaign, meaning each distinct use case (marketing, two-factor authentication, customer care, and so on). Each campaign must accurately describe the message content and include sample messages.
Carriers (AT&T, Verizon, T-Mobile) use TCR registration data to decide whether to deliver or filter your messages. Unregistered long-code traffic gets filtered hard. Registered campaigns with high complaint rates or content that doesn't match the description they filed also get filtered or suspended.
The fees are real but small. As of 2024, brand registration costs around $4 one-time through most CPaaS providers. Campaign registration fees vary by type, generally $10 to $15 per campaign per month [4]. Some carriers tack on their own per-message surcharges for A2P SMS.
Short codes (5 or 6-digit numbers) require a separate application and vetting process through the US Short Code Registry, which costs a lot more (roughly $500 to $1,000 per month for a dedicated short code) but has historically had higher deliverability [10]. Shared short codes were effectively deprecated by carriers in 2021 over abuse concerns.
Toll-free numbers used for SMS need their own verification through the toll-free verification registry, which has run into backlogs and its own compliance enforcement.
For help choosing the right number type for your program, see our marketing text message service guide.
What records do you need to keep to defend a TCPA claim?
Consent records are your entire defense in a TCPA case. Can't produce them, you're likely settling. It really is that simple.
Retain, at minimum:
- The phone number exactly as it was collected
- The date and timestamp of opt-in (UTC is fine, just be consistent)
- The source of the opt-in (URL, campaign name, keyword, form ID)
- The exact consent language displayed at the time of opt-in (a screenshot or HTML archive is ideal)
- The IP address of the device that submitted the opt-in
- Any double opt-in confirmation and the timestamp of that confirmation reply
- The opt-out record and timestamp if the person later unsubscribed
How long do you keep all this? TCPA has a four-year federal statute of limitations under 28 U.S.C. § 1658 [1]. Some state claims have longer lookback periods. Retain consent records for at least five years from the date of last contact and you'll cover the common cases.
Store them somewhere you can actually query. A CSV in a Dropbox folder does not cut it for litigation. You need to run a query like "show me every consent record, opt-in timestamp, source URL, and message history for phone number X" and get an answer within hours of a demand letter, not days.
Keep DNC scrub records too: the date you pulled the federal DNC list, the date you applied it, and the version you used. Federal DNC registrations take effect within 31 days of registration [8]. Text someone who registered 45 days before your scrub, with no record of the scrub, and you've handed the other side an easy claim.
LeadCompliant's one-time compliance kit includes a consent-record schema and a data-retention policy template you can adapt to your stack.
Frequently asked questions
Does TCPA apply to text messages, or just phone calls?
TCPA applies to both. The statute covers any call or text to a wireless number made with an automatic telephone dialing system. The FCC has consistently treated SMS as covered by 47 U.S.C. § 227. Every marketing text to a cell phone requires prior express written consent under the same standard that applies to automated marketing calls.
What is prior express written consent under TCPA?
It's a signed agreement, electronic signatures included, in which the consumer clearly authorizes a specific named seller to send marketing messages to a specific phone number using an automated system. The agreement cannot be a condition of purchase. It must include the seller's identity, a description of what will be sent, and an acknowledgment that consent isn't required to buy anything.
What changed in TCPA SMS rules in January 2025?
The FCC's one-to-one consent rule took effect January 27, 2025. It requires that each marketing text sender be individually named in the consumer's consent agreement. A single lead-gen opt-in that listed multiple marketing partners no longer satisfies TCPA. Each downstream seller must now obtain their own direct, named consent from the consumer.
Can I text people who gave consent before the 2025 FCC rule change?
Pre-January 2025 consent isn't automatically invalidated, but it had to meet the written-consent standard in place at the time. If the old consent named you specifically and was otherwise compliant, you can likely keep using it. If it relied on a broad multi-seller disclosure that didn't name you, get fresh consent before you send again.
How much does a TCPA violation cost per text message?
The statute provides $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing ones. There's no statutory cap per plaintiff. A campaign sent to 100,000 people without valid consent represents a potential $50 million to $150 million exposure. Courts have discretion to treble damages but aren't required to.
What is 10DLC and do I need to register my SMS campaign?
10DLC stands for 10-digit long code. Since 2021, all application-to-person (A2P) marketing SMS sent from standard 10-digit US phone numbers must be registered with The Campaign Registry (TCR). Unregistered traffic gets filtered by carriers. Brand registration costs around $4 one-time; campaign registration runs roughly $10 to $15 per month per campaign type.
Does TCPA apply to B2B text message marketing?
Yes. TCPA applies to texts sent to wireless numbers regardless of whether the recipient is a consumer or a business person. Texting a procurement manager's cell phone without prior express written consent is a TCPA violation. The established business relationship exemption does not cover marketing texts. B2B SMS programs need the same written-consent standard as consumer programs.
What opt-out words must I honor in SMS marketing?
CTIA guidelines and carrier policies require you to honor STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT. You have to process the opt-out immediately and confirm it with one final text. You cannot require any additional steps or conditions to complete the opt-out. After opt-out, suppress all further marketing messages to that number.
What states have their own SMS marketing laws beyond TCPA?
Florida's Telephone Solicitation Act (FTSA, amended 2021) is the most litigated state analog to TCPA for texts. Oklahoma and Texas have similar statutes. California's CCPA/CPRA adds data privacy obligations. Washington has used its Consumer Protection Act in SMS cases. Florida and Oklahoma have active private rights of action that plaintiffs' firms use heavily.
What disclosures are required in an SMS opt-in form?
The opt-in must disclose: sender identity (your company name specifically), program description, that consent isn't required to purchase, a message frequency estimate, "Msg & data rates may apply," a link to your privacy policy, a link to your terms of service, and how to opt out (STOP) and get help (HELP). All of it has to be visible before the consumer submits, adjacent to the checkbox or submit button.
What hours can I legally send marketing texts?
TCPA's quiet-hours rule for telephone solicitations covers 8 a.m. to 9 p.m. in the recipient's local time. The FCC and CTIA guidelines apply the same window to marketing SMS. Florida's FTSA applies this time restriction to texts explicitly. Sending outside these hours raises both regulatory risk and carrier complaint rates, which drag down your 10DLC campaign standing.
How long do I need to keep SMS consent records?
TCPA has a four-year federal statute of limitations. Some state TCPA analogs have longer lookback periods. Retain all consent records, including timestamps, source URLs, the consent language displayed, and opt-out records, for at least five years from the date of last contact. Records have to be queryable in litigation, meaning a searchable database rather than archived files.
Can I use leads from a third-party lead generator for SMS marketing after 2025?
Only if the consent record specifically names your company and was collected after January 27, 2025 under the FCC's one-to-one consent rule. Aggregated consent that listed your company as one of many marketing partners no longer qualifies. For new leads from generators, either collect your own consent directly or confirm the generator's form named you specifically before texting that list.
What is the difference between a short code, a long code, and a toll-free number for SMS?
Short codes (5 to 6 digits) are high-throughput numbers leased from the US Short Code Registry, costing $500 to $1,000 per month dedicated. Long codes (10DLC) are standard 10-digit numbers requiring TCR registration, at roughly $10 to $15 per campaign per month. Toll-free numbers need separate toll-free SMS verification. All three require compliant opt-in consent; the number type doesn't change the consent obligation.
Sources
- US House of Representatives, Office of Law Revision Counsel: 47 U.S.C. § 227 (TCPA text): TCPA statute text: $500 per violation, $1,500 for willful violations, prior express consent requirement, quiet-hours rule, private right of action, four-year limitations period under 28 USC 1658
- The Campaign Registry (TCR), official A2P 10DLC registration platform: 10DLC brand registration approximately $4 one-time; campaign registration approximately $10-$15 per month per campaign; all A2P long-code SMS must be registered
- FTC, .com Disclosures: How to Make Effective Disclosures in Digital Advertising: FTC guidance that digital disclosures must be clear and conspicuous, adjacent to the relevant action, not buried in linked terms
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Chapter 501 F.S.: Florida FTSA amended 2021: $500 per violation, applies to automated texts to Florida residents, private right of action, mirrors TCPA quiet-hours rule
- California Attorney General, California Consumer Privacy Act (CCPA) overview: CCPA/CPRA requires disclosure of personal data collection including phone numbers, purpose, and consumer right to opt out of sale or sharing
- FTC, National Do Not Call Registry: business information: Federal DNC registrations take effect within 31 days of registration; sellers must scrub lists against current DNC registry
- FCC, 47 C.F.R. Part 64, Subpart L: restrictions on telephone solicitations and telephone facsimile machines: FCC implementing regulations: prior express written consent standard for marketing calls/texts, 8am-9pm calling hours, required caller identification disclosures
- US Short Code Registry, administered by Somos Inc.: Dedicated short codes cost approximately $500-$1,000 per month; shared short codes deprecated by carriers in 2021