SMS message frequency disclosure requirements for compliance

Every SMS program must disclose message frequency at opt-in. Learn exactly what to say, where to say it, and what a violation costs under TCPA and CTIA rules.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-10

Person reviewing an SMS opt-in form next to a smartphone showing a text message frequency disclosure
Person reviewing an SMS opt-in form next to a smartphone showing a text message frequency disclosure

TL;DR

Federal law and carrier rules both require any recurring SMS marketing program to disclose how often messages will be sent, right at the point of opt-in. The standard phrase is 'Msg frequency varies' or a specific number. A missing disclosure can void consent under the TCPA, expose you to $500 to $1,500 per text in statutory damages, and get your campaign suspended by carriers.

What is the SMS message frequency disclosure requirement?

It's a short, plain-language statement telling subscribers how many texts to expect per week or month, or admitting the count will vary. It has to appear at the exact moment someone opts in, whether that happens through a web form, a paper form, a keyword reply, or a verbal agreement you capture in writing.

The CTIA (Cellular Telecommunications Industry Association) Messaging Principles and Best Practices, which carriers treat as the enforceable standard for short code and 10DLC programs, requires that both the opt-in call-to-action and the opt-in confirmation message include a frequency disclosure [1]. If frequency genuinely varies, the accepted language is "Msg frequency varies." If you send a fixed number, say it: "4 msgs/month."

This sits on top of the consent requirements in the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, not instead of them [2]. The TCPA doesn't print a frequency-disclosure sentence word for word. But courts have found that consent obtained without material disclosures about the nature of the program, including how often a consumer gets contacted, fails the "clear and conspicuous" standard the FCC set for prior express written consent [3]. So a missing frequency line can retroactively kill consent you thought you had.

Where exactly does the frequency disclosure have to appear?

Three places, and you need all three to have a defensible program.

First, in the call-to-action (CTA). That's the sign-up form, landing page, paper coupon, or keyword prompt that starts the opt-in. The frequency statement has to be visible here, before the consumer submits their number. It can't hide in a linked terms page alone. CTIA guidance says the disclosure should be clear and conspicuous on the same screen or close to the opt-in mechanism [1].

Second, in the opt-in confirmation message. When your platform fires the auto-reply confirming subscription, that message needs frequency language too. A compliant confirmation reads: "You're now subscribed to Acme Deals alerts. Msg frequency varies. Msg & data rates may apply. Reply STOP to cancel, HELP for help."

Third, in your full SMS terms of service page, which the CTA has to link to. This is where you expand on the details. The linked terms supplement the on-screen disclosure. They don't replace it.

Carriers and aggregators who onboard brands for 10DLC registration audit these elements during campaign approval [4]. If your registration materials don't show a compliant CTA and confirmation flow, your campaign gets rejected or throttled before you send a single message.

What are the required elements of an SMS opt-in disclosure beyond frequency?

Frequency is one piece of a larger mandatory set. You need them all together. The CTIA Messaging Principles specify these elements in or alongside the opt-in [1]:

Required ElementExample Language
Program/brand identity"Acme Deals text alerts"
Message frequency"Msg frequency varies" or "4 msgs/month"
Carrier cost notice"Msg & data rates may apply"
How to opt out"Reply STOP to cancel"
How to get help"Reply HELP for help or call 1-800-XXX-XXXX"
Link to Privacy Policy"Privacy policy: [URL]"
Link to Terms of Service"Terms: [URL]"

Every row is required. Missing "Msg & data rates may apply" gets you flagged by carriers as fast as missing the frequency line. These elements travel together because together they establish informed consent, and informed consent is the whole legal foundation for sending marketing texts under the TCPA.

For how these consent standards work across both voice and SMS, see our overview of tcpa requirements.

TCPA SMS violation: key numbers Statutory figures every SMS sender should know $500 Statutory damages per text (standard) $1,500 Statutory damages per text (willful) $500 Florida FTSA damages per text $4 Years to retain consent records (TCPA limitations p… Source: 47 U.S.C. § 227, FCC 12-21, Florida FTSA § 501.059

What does TCPA say about frequency disclosures specifically?

The TCPA at 47 U.S.C. § 227(b)(1)(A) bars using an automatic telephone dialing system or prerecorded voice to call or text mobile phones without prior express consent [2]. The statute prints no checklist of required disclosure sentences. That detail lives in the FCC's implementing rules at 47 C.F.R. § 64.1200 and in the FCC orders defining what "prior express written consent" means in practice [9].

The FCC's 2012 Report and Order (FCC 12-21) tightened the consent standard for telemarketing calls and texts. It requires consent be "unambiguous" and that the consumer get a "clear and conspicuous disclosure" that they'll receive autodialed or prerecorded messages [3]. Courts read that standard to mean the consumer must understand the nature of what they're agreeing to, frequency included. A disclosure so vague a person couldn't reasonably expect 20 texts a month isn't unambiguous.

The FCC's 2023 one-to-one consent order (FCC 23-107) went further, requiring consent be logically and topically related to the specific seller [5]. That order has a messy implementation history thanks to court challenges. The direction is clear anyway: more specificity in disclosures, not less. When you're unsure, get more specific about frequency.

What do carriers and 10DLC registration require about frequency?

Carriers, through The Campaign Registry (TCR) and their aggregator partners, treat CTIA guidelines as binding contract terms, not suggestions. When you register a 10DLC campaign, you submit a sample message and a description of your opt-in method [4]. Reviewers check whether your opt-in flow carries all the required disclosures. Frequency is on the checklist.

Approve the campaign, then send at a rate that doesn't match your registration, and carriers can filter or block your traffic. T-Mobile, AT&T, and Verizon each keep their own supplemental code of conduct for business messaging, and all three point to CTIA guidelines as the standard [4]. Short code programs face an even stricter audit during the Carrier Service Provider (CSP) approval phase.

This matters for small teams because a carrier suspension hits immediately and operationally. No warning letter. Your messages just stop delivering. The fix is retroactive cleanup plus re-registration, which can take weeks. Getting the frequency disclosure right at launch costs far less than explaining to your sales team why texts aren't going through.

One practical note. If frequency genuinely swings with user behavior (you send alerts only when a price drops), use "Msg frequency varies" instead of a fixed number. Say "2 msgs/month" and then push 12 in a busy month, and the disclosure becomes materially false. That's a second problem stacked on the first.

What does a compliant opt-in call-to-action look like in practice?

Here's a web form CTA that satisfies both CTIA and FCC standards. The disclosure text sits directly below the phone number field, above the submit button, in a font no smaller than the surrounding body text:

"By entering your phone number and clicking 'Subscribe,' you agree to receive up to 4 promotional text messages per month from Acme Deals at the number provided. Msg & data rates may apply. Reply STOP to cancel, HELP for help. View our [Privacy Policy] and [Terms of Service]."

A keyword opt-in CTA, say on a store receipt, looks like this:

"Text DEALS to 12345 to join. Up to 4 msgs/month. Msg & data rates may apply. STOP to cancel."

And the confirmation reply your system sends after the keyword:

"Acme Deals: You're subscribed! Up to 4 msgs/month. Msg & data rates may apply. Reply STOP to cancel, HELP for help. Terms: acme.com/sms-terms"

Notice the confirmation fits in a single SMS. The limit is 160 characters before a message splits. Keeping it under 160 isn't about cost. Multi-part messages can arrive out of order, which separates the disclosure from the program name and muddies the record.

If you want a checklist for reviewing your own opt-in flows, LeadCompliant's free compliance kit includes a disclosure audit template you can run against every active SMS program you operate.

What happens if you skip or misdescribe the frequency disclosure?

Three bad things, and they aren't mutually exclusive.

First, your consent gets legally shaky. If a plaintiff's attorney shows the opt-in form lacked a compliant disclosure, your "prior express written consent" defense collapses. TCPA statutory damages run $500 per violation, up to $1,500 per violation if the court finds the violation willful or knowing [2]. One class action covering 50,000 subscribers with 10 texts each is 500,000 violations at minimum. The math is punishing.

Look at the cash app tcpa class action settlement or the credit one tcpa settlement for how fast these numbers compound in real cases. Both involved fights over the adequacy of consent disclosures.

Second, carriers can suspend your sending capability. As above, that's operational more than legal, and it's fast.

Third, the FCC can refer violations to the DOJ for enforcement. Rare for small senders, but the FCC has assessed forfeiture penalties against businesses for TCPA violations, with individual fines sometimes reaching into the millions for large-scale campaigns [3].

The baseline risk for a small team texting without a frequency disclosure isn't hypothetical. Plaintiff-side TCPA firms actively scan for non-compliant SMS programs using test phone numbers. A single test subscriber getting texts without proper disclosure is enough to trigger a demand letter.

Do frequency disclosure rules apply to transactional texts too?

Transactional texts (order confirmations, shipping updates, appointment reminders) get lighter treatment under the TCPA because they aren't "telemarketing" in the statutory sense. The TCPA splits informational calls and texts, which need prior express consent (a lower bar), from telemarketing calls and texts, which need prior express written consent (a higher bar with more disclosure requirements) [2].

CTIA guidelines apply to all business SMS programs regardless of whether the content is transactional or marketing. Carriers treat frequency and opt-out disclosures as required for any recurring messaging program. The practical standard: even for a pure transactional program, put "Msg frequency varies" and "Reply STOP to cancel" in your confirmation. It takes 20 characters and kills the ambiguity.

The real danger for transactional programs is content drift. A shipping-update program that starts adding promotional content, even a small banner for a sale, becomes marketing in the FCC's view. At that point your consent level and disclosure completeness for a transactional opt-in no longer cover you. Teams that run mixed programs, some transactional and some promotional, to the same subscriber list fall into this trap all the time.

For how the TCPA applies to text message marketing more broadly, that article walks through the consent tiers.

How often can you actually text subscribers once they opt in?

No federal law sets a hard cap on how many texts you can send per month to a consenting subscriber. The TCPA's limits are about consent and method, not a magic number. You could legally send daily texts if your opt-in disclosure said "up to 31 msgs/month" and the subscriber agreed.

The real question is what frequency you disclosed. Say 4 messages a month, send 20, and you have a problem even with consenting subscribers, because the disclosure was materially misleading. Some plaintiffs' attorneys argue that exceeding disclosed frequency is itself a consent violation.

On the practical side, opt-out data suggests programs sending more than 4 to 6 messages per month see meaningfully higher opt-out rates. Some platform providers put opt-outs at 2 to 3 times the baseline above that threshold. Nobody has published a rigorous peer-reviewed study on this, and the figures come from providers' own data, so treat them as directional.

If you use a keyword like "MORE" or "LESS" to let subscribers pick their frequency tier, write separate opt-in confirmation language for each tier. It's cleaner for consent and tends to lower opt-out rates, because subscribers feel in control.

Do state laws add anything on top of federal frequency disclosure rules?

Yes, and the gap keeps growing. Florida, Washington, Oklahoma, and several other states passed their own mini-TCPA statutes with additional or stricter consent requirements for commercial texts [6]. As of mid-2025, none mandate a specific frequency-disclosure format beyond CTIA and FCC. But they change the underlying consent standard, which loops right back to disclosure adequacy.

Florida's Telephone Solicitation Act (FTSA) is the most aggressive state law in active litigation. It covers calls and texts to Florida numbers and carries a private right of action with statutory damages of $500 per call or text for first violations [6]. Florida courts stay busy with FTSA cases, and plaintiff attorneys there care about disclosure defects just as much as their federal counterparts.

California's angle comes through the CCPA and California's Automatic Renewal Law (ARL), which adds disclosure requirements for subscription-based SMS programs, including free-trial terms and the cancellation mechanism [7]. If your SMS program involves a paid subscription or recurring charge, the ARL requires that cancellation instructions appear clearly in the initial offer material.

The practical takeaway for small teams with a national list: design your disclosures to the strictest applicable standard. That's usually CTIA plus Florida FTSA plus California ARL if you have any subscription element. Write to that level and you'll pass in every other state.

How do you audit an existing SMS program for frequency disclosure compliance?

Start by pulling every active opt-in source: web forms, landing pages, paper forms, keywords, point-of-sale prompts, and any verbal opt-in scripts. For each one, check whether all seven elements from the CTIA table show up, frequency line included.

Next, pull the auto-reply confirmation for each program. Run the same checklist. Fix any missing element right away, because that message fires on every new opt-in.

Then compare your stated frequency against your actual send frequency over the last 90 days. If actual sends beat disclosed frequency for any subscriber segment, you have live exposure.

For ongoing monitoring, the simplest system is a quarterly audit where someone with a test phone number opts into each program from scratch and captures the full disclosure flow with screenshots. Store those screenshots with a timestamp. If a demand letter ever lands, being able to show your opt-in flow was compliant on a specific date is worth real money.

LeadCompliant's free compliance checkers can flag missing disclosure elements in your setup if you want a tool to run against your flows instead of doing it by hand.

If your team also does outbound cold calling, the overlap between SMS consent rules and do not call list requirements is worth understanding. Many of the same consumer phone numbers land on both lists, and the consent standards interact.

What records do you need to keep to prove frequency disclosure compliance?

The FCC and plaintiffs' attorneys want the same thing: proof that a specific person consented to your texts after seeing a compliant disclosure. Your recordkeeping needs to capture:

1. The exact opt-in language the subscriber saw, frequency disclosure included, with a version-controlled record if you ever change it 2. The timestamp of opt-in 3. The IP address or other identifier linking the opt-in to the specific subscriber 4. The source of opt-in (form URL, keyword, etc.) 5. The confirmation message that was sent, and when

For web-based opt-ins, most marketing platforms log the timestamp and IP automatically. The part teams miss is preserving the historical version of the form the person actually saw. Update your web form with a new frequency disclosure and you need to know which version each subscriber saw.

The FCC sets no mandatory retention period for consent records under the TCPA. But the four-year federal statute of limitations for TCPA claims [2] is the practical floor. Keep consent records at least four years from the date of consent, longer if your state's limitations period runs longer.

For paper opt-ins, photograph or scan the form, timestamp it, and store it in a searchable system tied to the subscriber's phone number. Paper forms are a compliance risk exactly because they're hard to audit at scale.

Frequently asked questions

Is 'Msg frequency varies' always acceptable or do I need a specific number?

'Msg frequency varies' is acceptable under CTIA guidelines when your send rate genuinely swings with triggers like user behavior or inventory changes. If you send a predictable fixed number, state that number. Using 'varies' when you always send exactly four messages per month is technically compliant but gives you less protection if a subscriber claims the volume surprised them.

Does the frequency disclosure need to be in the text message itself or just on the sign-up form?

Both. CTIA requires the disclosure in the opt-in call-to-action (the sign-up form, receipt, or keyword prompt) and in the opt-in confirmation text your system sends right after someone subscribes. Putting it only in the form or only in the confirmation text falls short of full compliance. Both touchpoints need the full required disclosure set.

Can I put the frequency disclosure only in my terms of service and just link to it?

No. A link to full terms is required, but it supplements the on-screen disclosure, it doesn't replace it. The frequency statement, carrier cost notice, and opt-out instructions have to appear visibly on the same page as the opt-in mechanism or in the confirmation text. A buried link a consumer has to click to find frequency info fails the 'clear and conspicuous' FCC standard.

What is the penalty for sending texts without a proper frequency disclosure?

Under the TCPA, each text sent without valid consent (which a defective disclosure can void) carries statutory damages of $500, rising to $1,500 per message for willful violations. There's no cap in a class action. Carriers can also suspend your 10DLC or short code campaign immediately. State laws like Florida's FTSA add another $500 per text under their own private right of action.

Do frequency disclosures apply to one-time SMS messages like appointment reminders?

A true one-time transactional message, like a single order confirmation, carries lighter requirements because it's informational, not marketing. But if you run any recurring program, including recurring appointment reminders, CTIA guidelines require the frequency disclosure in your opt-in confirmation. The safest practice is to include 'Msg frequency varies' and 'Reply STOP to cancel' in any opt-in confirmation, even for transactional programs.

What character limit applies to the opt-in confirmation message?

A standard SMS is 160 characters. Exceed that and the confirmation splits into multiple segments, which costs more and can arrive out of order on some networks, possibly separating the program name from the disclosure. Aim to keep the confirmation under 160 characters. You can abbreviate: 'Msg & data rates may apply' can shorten to 'Msg&data rates may apply,' and 'Reply STOP to cancel, HELP for help' is the standard compact form.

Does switching from a short code to a 10DLC number require updating my frequency disclosure?

The disclosure language itself doesn't change with number type, but the 10DLC campaign registration process makes you submit your opt-in flow for review. That's a good forcing function to audit and update disclosures that passed under older carrier standards but might not clear current CTIA review. Many teams find stale disclosures during 10DLC registration that had been quietly non-compliant for years.

Can a subscriber waive the frequency disclosure requirement by agreeing to broad terms?

No. The FCC's standard for prior express written consent requires the disclosure be specific enough that the consumer understands what they're agreeing to. A blanket agreement to 'receive communications' with no frequency context doesn't satisfy the standard. Courts have consistently rejected attempts to use broad consent language as a substitute for the specific disclosures the FCC requires.

Do B2B SMS programs need the same frequency disclosures as B2C programs?

The TCPA applies to the phone number, not to whether the recipient is a consumer or a business. If you're texting a mobile phone, which most B2B contacts use exclusively, the TCPA applies. Carrier rules apply equally to all 10DLC campaigns regardless of audience. A B2B SMS program needs the same frequency disclosure at opt-in as a retail SMS program.

How does the frequency disclosure interact with the Do Not Call Registry?

The National Do Not Call Registry primarily covers voice calls but also reaches text messages under FCC rules, since texts to mobile phones are treated as calls under the TCPA [8]. A number on the DNC registry can't receive telemarketing texts even if the person once gave consent, unless that consent went to your specific organization after they registered. Frequency disclosure compliance and DNC scrubbing are separate obligations that both apply to SMS marketing.

What if I buy a subscriber list where frequency disclosures were made by a third party?

High-risk territory. Under the FCC's one-to-one consent rule (FCC 23-107), consent obtained by one entity doesn't transfer to a different seller automatically. The disclosure the subscriber saw named the original company, not yours, and may have described a different program and frequency. Purchased lists with third-party consent are among the most common sources of TCPA litigation. Don't rely on third-party consent for SMS marketing without your own legal review.

How do I update subscribers if I need to change the message frequency I disclosed?

Send a standalone notification text before the change, telling subscribers the new send rate and reminding them they can reply STOP to opt out. This is the standard approach and shows good faith. You can't retroactively change what subscribers consented to without giving them a real chance to exit. Document the notification send date and content the same way you document opt-in records.

Does the FCC enforce frequency disclosure rules directly or does enforcement come through private lawsuits?

Both. The TCPA creates a private right of action, which is why most enforcement comes through class actions rather than government action. The FCC can also assess forfeitures through administrative proceedings and refer cases to the DOJ for civil enforcement. For most small businesses, the realistic risk is a plaintiff's attorney, not an FCC investigation, but both are legally possible.

Sources

  1. CTIA, Messaging Principles and Best Practices: CTIA requires opt-in confirmation messages and CTAs to include frequency disclosure, carrier cost notice, opt-out instructions, and help instructions for all business SMS programs
  2. Legal Information Institute, 47 U.S.C. § 227 (TCPA full text): TCPA prohibits autodialed or prerecorded messages to mobile phones without prior express consent; statutory damages are $500 per violation, up to $1,500 for willful violations; four-year federal statute of limitations applies
  3. FCC, Report and Order FCC 12-21 (2012 TCPA consent rules): FCC 12-21 required 'prior express written consent' for telemarketing calls/texts and mandated 'clear and conspicuous disclosure' that the consumer will receive autodialed or prerecorded messages; the FCC can assess forfeiture penalties for TCPA violations
  4. The Campaign Registry (TCR), 10DLC Campaign Registration: 10DLC campaign registration requires submission of sample messages and opt-in flow; carriers audit frequency and other disclosures during campaign approval
  5. FCC, Report and Order FCC 23-107 (one-to-one consent rule, 2023): FCC 23-107 requires that TCPA consent be logically and topically related to a single, named seller, tightening the specificity required in consent disclosures
  6. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059 F.S.: Florida's FTSA provides a private right of action with $500 statutory damages per violation for unsolicited commercial texts or calls to Florida numbers, including for disclosure defects
  7. California Legislative Information, California Automatic Renewal Law, Bus. & Prof. Code § 17600: California's Automatic Renewal Law requires clear disclosure of subscription terms, cancellation instructions, and recurring charge details in the initial offer for subscription-based SMS programs
  8. FCC, 47 C.F.R. § 64.1200 (TCPA implementing regulations): FCC implementing regulations define prior express written consent standards and disclosure requirements for autodialed and prerecorded telemarketing messages
  9. Federal Trade Commission, National Do Not Call Registry: The National Do Not Call Registry covers text messages sent to mobile phones under FTC and FCC joint enforcement authority

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit