Last updated 2026-07-10

TL;DR
Before you send a marketing text, you need prior express written consent that names your business, describes the messages, and says message and data rates may apply. Get it wrong and each text costs $500 to $1,500 under 47 U.S.C. § 227. This guide covers every consent requirement, what a valid opt-in looks like, how to handle opt-outs, and what records to keep.
What is SMS opt-in compliance and why does it matter?
SMS opt-in compliance is the set of legal and carrier rules a business has to satisfy before texting anyone a marketing message. The core law is the Telephone Consumer Protection Act, 47 U.S.C. § 227, which Congress passed in 1991 and the FCC has updated many times since. [1] It applies to texts sent with an autodialer or a short code, and in practice almost every business texting platform qualifies.
The stakes are real. The TCPA gives every person who gets an unconsented text the right to sue you directly, no regulator required. Damages run $500 per text for ordinary violations and $1,500 per text for willful ones. [1] A bad list of 10,000 numbers is not a $50,000 problem. It is a $15 million problem if a court finds willfulness. Class actions in this space settle in the seven figures on a regular basis.
Carriers pile on their own layer. The CTIA (the wireless industry trade group) publishes messaging principles that carriers enforce through filtering and account suspension. [2] Get flagged and your messages stop delivering, whether or not the FCC ever hears about you. Compliance is a legal problem and an operational one at the same time.
What does the TCPA actually require for SMS consent?
The TCPA sets three consent levels based on what the message is for. Informational texts (a flight delay notice, say) need prior express consent. Marketing texts need prior express written consent, a higher bar the FCC introduced in 2012. [3] Get the category wrong and you apply the wrong standard.
Prior express written consent for marketing texts requires:
1. A written agreement (digital is fine, a paper form is fine, a checkbox on a web page is fine). 2. The consumer's signature (an electronic signature under E-SIGN qualifies). 3. A clear and conspicuous disclosure that the person is authorizing autodialed or prerecorded marketing messages. 4. The name of the specific seller or advertiser. 5. A statement that consent is not a condition of purchase.
The FCC's 2012 order, codified at 47 C.F.R. § 64.1200(f)(9), set these requirements. [3] The "not a condition of purchase" line is not decoration. Bury it or drop it and that alone is a violation.
In December 2023 the FCC issued a new order tightening consent for lead generation, requiring one-to-one consent: consent given on a single web form cannot be resold or handed off to a pile of other sellers. [4] Courts have chewed on parts of that rule, but the FCC's aim is plain. Blanket forms that authorize "our marketing partners" are on borrowed time. If you buy leads, you have to confirm the consumer consented to you by name, not to the lead generator's universe of partners.
For how the TCPA interacts with specific platform choices, see our guide to tcpa sms compliance.
What makes a valid SMS opt-in? The exact language and format
A valid SMS opt-in captures five things at once, at the moment of signup. Picture a disclosure block sitting right next to whatever checkbox or field the consumer is agreeing to.
Here is the structure that holds up:
What to disclose:
- Your legal business name (the entity that will send the texts)
- The nature of the messages ("promotional offers and updates about [Brand]")
- Estimated frequency ("approx. 4 messages per month")
- "Message and data rates may apply"
- How to opt out ("Reply STOP to unsubscribe")
- How to get help ("Reply HELP for help")
- A link to your privacy policy and terms of service
The CTIA Messaging Principles require frequency disclosure and opt-out instructions at the point of consent for all marketing programs. [2] The FCC does not dictate word-for-word language, but it does demand that the disclosure be "clear and conspicuous." That rules out 6-point font below the fold or text tucked inside a linked terms document the consumer never opens.
What format works? A web form checkbox is the most common. It cannot be pre-checked. A pre-checked box is not a consumer affirmatively agreeing to anything. A keyword opt-in also works (the consumer texts "JOIN" to your number), but you have to fire back an immediate confirmation that restates the program name, frequency, "msg & data rates may apply," and STOP/HELP. That confirmation is required by CTIA standards, and it is good legal hygiene under the TCPA.
For help building the form itself, see our reference on SMS opt-in form: what it must say and how to build one.
What does not work: a prior business relationship by itself, a verbal yes over the phone with no written record, a generic "contact me" checkbox that never mentions texts, or consent buried on page 38 of a terms of service.
How does double opt-in work and do you need it?
Double opt-in means you send a confirmation text after signup and only add the person to your active list once they reply to confirm. The TCPA does not require it. Nothing in 47 U.S.C. § 227 mandates it.
So why do it? Four reasons.
First, it gives you a timestamped record that the person actually controlled the phone number at the moment of consent. If they later claim they never signed up, that confirmation reply is strong evidence. Second, carriers and spam filters treat double-opted-in lists better because they produce fewer complaints. Third, some state laws and some platform terms treat it as a baseline (Twilio recommends it for certain use cases). Fourth, it cleans your list. People who never confirm are either uninterested or entered a bad number, and texting them burns money and drives up opt-out rates.
The downside is list shrinkage. Depending on the channel, somewhere between 20% and 50% of initial opt-ins never finish the confirmation step. That is real subscriber loss. If your acquisition cost is already high, double opt-in has a price.
My honest take: above a few hundred contacts, turn it on. The legal cover is worth the shrinkage. For a full breakdown, see our piece on sms double opt-in.
What are the TCPA penalties for sending texts without consent?
The TCPA is unusual because the plaintiff does not have to prove any actual harm. Each text to a number without proper consent is its own violation, and the damages stack. [1]
| Violation type | Statutory damages per text |
|---|---|
| Ordinary violation | $500 |
| Willful or knowing violation | $1,500 |
| State-added damages (where allowed) | Varies |
The FCC can also impose civil penalties through its own enforcement authority, though private class actions have driven most of the liability. The FTC has separate authority under the CAN-SPAM Act for email, plus overlapping jurisdiction on deceptive practices.
Settled cases show the scale. Papa John's settled a TCPA class action for $16.5 million in 2013 over promotional texts. [5] Jiffy Lube settled for $47 million in 2016 over marketing texts. [5] Those are not freak outcomes. They are what high-volume text marketing without tight consent produces.
The math is simple. One unconsented promotional text to 100,000 people is $150 million of maximum exposure at the willful rate. Plaintiff attorneys know it and take these cases on contingency. That asymmetry is why even a small team has to treat SMS consent as a legal matter, not marketing housekeeping.
For current developments in the case law, our tcpa news today feed is worth bookmarking.
Do state laws add any extra SMS opt-in requirements?
Yes, and it gets messier every year. Federal TCPA is the floor. A growing list of states raises the ceiling.
California's Consumer Privacy Act (CCPA), amended by the CPRA, gives California residents the right to opt out of the sale of their personal information, which includes phone numbers used for marketing. [6] Collect phone numbers in California and your opt-in flow needs a CCPA-compliant privacy notice plus a way for consumers to request deletion.
Florida went further. As of July 2021, the Florida Telephone Solicitation Act (FTSA) bans autodialed calls and texts to Florida residents without prior express written consent, a standard close to the TCPA but with its own private right of action. [7] Florida plaintiffs can sue under the TCPA and the FTSA at the same time, which multiplies exposure fast.
Texas, Washington, and Oklahoma run their own telephone solicitation laws that touch SMS to different degrees. Washington's Commercial Electronic Mail Act (CEMA) covers commercial texts sent to Washington numbers. [8]
If you market nationally, you live under the strictest standard that applies at any given moment. More and more, that means California and Florida.
One spot where state law surprises B2B senders: the TCPA's business-to-business carve-outs are narrower than people assume. See our article on b2b lead generation platforms gdpr compliance for how GDPR parallels play out across borders.
How do you handle opt-outs correctly?
The TCPA and FCC rules require you to honor opt-out requests promptly. The CTIA standard is that STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT all trigger immediate suppression. [2] "Immediate" means same business day at the very outside, but your platform should process it in real time, automatically.
You also send one confirmation text after a STOP. It can only say something like "You've been unsubscribed from [Brand] alerts. You'll receive no further messages." No marketing content. No attempt to win them back.
Once someone opts out, you cannot text them again unless they re-opt-in through a fresh, compliant consent flow. A phone-call consent, an email opt-in, or an in-store purchase does not rebuild SMS consent. Those are separate channels with separate consent.
Suppression list management is where small teams fall down. If you have several tools sending texts (a CRM, a standalone SMS tool, an email/SMS hybrid), every one of them has to pull from the same suppression list. A contact who opted out in your SMS platform but stayed active in your CRM will get texted again the next time someone exports and re-imports a list. Most courts read that as willful, because the opt-out was documented and you texted anyway.
For teams on Twilio, see our notes on Twilio TCPA compliance: what you actually need to do for how suppression sync works across that stack.
What records do you need to keep for SMS consent?
If a plaintiff or regulator asks you to prove consent, you have to produce it. "We had a checkbox on our website" is not proof. The actual record is.
What to capture and store for each opted-in contact:
- The exact timestamp of the opt-in (server time, not browser time)
- The IP address of the submission
- The URL or page where the opt-in happened
- The exact disclosure language shown to the consumer at that time (a versioned screenshot or HTML snapshot works)
- The phone number as the consumer entered it
- Any confirmation message sent and the consumer's reply (for double opt-in)
- Opt-out records, with timestamp
How long? The TCPA statute of limitations is four years under 28 U.S.C. § 1658 for federal claims. [9] Some state claims run longer. Keep records at least five years to be safe.
Storage format matters less than retrieval speed. Get a litigation hold letter and you need those records fast. A CSV buried in an old email is technically a record and practically a nightmare. A purpose-built consent tool, or at minimum a clean database table, makes this survivable.
LeadCompliant's compliance kit includes a consent record template and a checklist for auditing your capture process. It is free and takes about 20 minutes to run.
For how a legally complete sms opt in process fits together end to end, that guide walks through each step.
Are there special rules for different types of SMS programs?
Yes. The TCPA and CTIA guidelines treat program types differently, and the requirements are not the same across the board.
Promotional/marketing programs: These need prior express written consent with all disclosures. Highest bar, most litigation.
Transactional programs: Appointment reminders, order confirmations, shipping updates. These need prior express consent (not written consent), a slightly lower standard. But they still need some affirmative agreement. A customer handing you a phone number to finish a purchase is not consenting to transactional texts unless you told them you would use it that way.
Mixed programs: Send transactional and promotional content in one program and the FCC treats the whole thing as promotional. The written consent standard covers all of it.
Political and nonprofit messaging: Political texts need consent under the TCPA just like commercial texts. The nonprofit carve-out is narrower than people think. Only calls (not texts) from 501(c)(3) organizations to their members may get some relief under FCC rules, and even that is contested.
Emergency and healthcare alerts: Covered entities under HIPAA that send health-related texts face TCPA and HIPAA privacy rules at once. That intersection is its own compliance job.
For restaurants and local businesses running loyalty programs, the rules match any commercial sender. See our examples at sample text message marketing for restaurants. Real estate teams have extra angles on prospecting texts, covered at real estate text message marketing.
How should you audit your current SMS opt-in process?
An audit does not need to be expensive or take weeks. Here is what I would actually do:
Step 1: Map every place you collect phone numbers. Web forms, landing pages, in-store tablets, phone calls, third-party lead vendors. Most teams have more collection points than they think.
Step 2: For each one, answer three questions. Does the disclosure mention texting specifically? Is the consent checkbox unchecked by default? Is there a link to a privacy policy? Any "no" means that collection point is non-compliant.
Step 3: Check your suppression list hygiene. Pull your opt-out list and see whether any of those numbers show up in active send lists on any platform. One match is a problem.
Step 4: Test your opt-out flow. Opt out from your own number. Verify the confirmation message is correct, that no further marketing texts arrive, and that the opt-out lands in your CRM within 24 hours.
Step 5: Read your lead vendor contracts. If you buy or rent phone lists, the contract should warrant that consent was obtained for your specific business, not for the vendor's generic purposes. Post-2023 FCC guidance makes this matter a lot. [4]
The TCPA, at 47 U.S.C. § 227(b)(3), says a person may "if otherwise permitted by the laws or rules of court of a State, bring in an appropriate court of that State" a private action. [1] That is why anyone can sue you in their home state, which makes multi-state exposure real for any national sender.
For a structured version of this, our opt-in SMS marketing: the complete compliance guide goes deeper on method. If you want to compare text message marketing software with compliance features built in, that guide lines up the main platforms.
What does a compliant SMS opt-in flow look like from start to finish?
Here is a concrete, end-to-end flow for a promotional SMS program run by a hypothetical e-commerce brand.
At signup (web form): The form has a name field, an email field, and a phone field. Below the phone field is an unchecked checkbox with this text: "I agree to receive promotional text messages from Acme Co. (approx. 4 msgs/month). Msg & data rates may apply. Reply STOP to unsubscribe. Reply HELP for help. View our Privacy Policy and Terms."
The box has to be checked to submit. The form captures timestamp, IP, page URL, and the exact disclosure text version.
Immediately after submission (double opt-in confirmation text): "Acme Co.: Reply YES to confirm you'd like texts about deals & updates (4 msgs/month). Msg & data rates may apply. STOP to cancel, HELP for info."
After the consumer replies YES: "Welcome to Acme Co. texts! Expect ~4 msgs/month with deals. Msg & data rates may apply. Reply STOP to unsubscribe, HELP for help."
The record stored: phone number, opt-in timestamp, IP, page URL, disclosure text version ID, confirmation timestamp, YES reply log.
When the consumer texts STOP: "You've been unsubscribed from Acme Co. alerts. No more texts from us. To rejoin, visit [URL]."
The suppression record: phone number, opt-out timestamp, source (consumer reply), synced to all active send platforms within one hour.
That is it. Nothing fancy. The compliance lives in the disclosure language and the recordkeeping, not the technology. For the marketing text message service layer, most reputable platforms support this flow natively.
For teams building this into a broader text messaging for business marketing: the complete compliance guide approach, that resource covers the operational setup in more detail.
What should you do if you already have a list with uncertain consent?
This is a common problem, and the honest answer is uncomfortable: you probably cannot text that list for marketing.
If you cannot produce a consent record for a number, legally you do not have consent. In TCPA litigation the burden is on the sender to prove consent, not on the plaintiff to prove its absence. [1]
What are your options?
First, if the list came from in-person or phone contacts where you believe consent exists but never got documented, run a re-consent campaign through a channel where you do have documented permission, usually email. Send an email asking people to opt in to texts through a compliant web form. That turns uncertain contacts into documented ones.
Second, for cold lists with no prior relationship, you generally cannot send a marketing text even to ask for consent. That solicitation text is the violation.
Third, scrub the list against the National Do Not Call Registry and any state DNC lists before you do anything. [10] Numbers on those registries have said, in writing, that they do not want solicitations.
Fourth, if the list is old (over 12 to 18 months), the numbers may have changed hands. Wireless numbers get recycled. The FCC's 2014 order took on reassigned numbers, and the Reassigned Numbers Database now exists so senders can check whether a number went to a new consumer. [11] Texting a recycled number without checking that database has become its own source of TCPA liability.
My actual recommendation: if the list is more than 18 months old and you cannot document consent, do not use it for outbound SMS. The liability math almost never favors you.
For how these situations play out in court, our lead generation compliance news feed covers new case outcomes regularly.
Frequently asked questions
Can I text someone who gave me their number on a business card?
No, not for marketing. A business card is not consent to receive promotional texts. You can call them in a B2B context, but a marketing text needs prior express written consent under the TCPA no matter how you got the number. If they handed you the card at a trade show, they still have to complete a compliant opt-in before any promotional text goes out.
Does a purchase constitute SMS opt-in consent?
No. A purchase gives you a business relationship, not SMS marketing consent. You can send a transactional order confirmation if the customer provided a phone number for that purpose, but you need separate prior express written consent before any promotional text. The FCC has been consistent on this since its 2012 order at 47 C.F.R. § 64.1200.
How long is SMS consent valid for?
There is no fixed expiration in the TCPA. Courts and the FCC treat consent as stale after long silence or after a program changes materially. Compliance attorneys generally flag consent obtained more than 18 to 24 months ago and never acted on as risky. And if a number has been reassigned to a new consumer, the prior owner's consent is worthless.
Does the TCPA apply to B2B text messages?
Yes, with limited nuance. The TCPA covers all autodialed or prerecorded texts whether the recipient is a consumer or a business. There is a narrow argument that some B2B texts to direct-line business numbers fall outside the "residential subscriber" language in certain provisions, but courts have not uniformly accepted it. Treat all outbound SMS as TCPA-covered unless a lawyer tells you otherwise.
What is the FCC's one-to-one consent rule for lead generation?
The FCC's December 2023 order requires consent collected on a lead generation form to apply only to the specific business named in that form, not to a broad list of "marketing partners." You cannot lawfully buy leads where consumers consented to contact by unnamed third parties and then text them under your brand. The rule took effect in January 2025 after some litigation delays.
Can I use a keyword opt-in like texting JOIN to a short code?
Yes, keyword opt-in is valid. The consumer texts a keyword (JOIN, YES, and so on) to your short code or long code. You then send an immediate confirmation that includes your program name, message frequency, "msg and data rates may apply," and STOP/HELP instructions. Log the inbound keyword, the number, and the timestamp as your consent record.
Does TCPA apply to texts sent from a regular 10-digit long code?
Yes. The TCPA covers texts sent via an "automatic telephone dialing system," and after the Supreme Court's 2021 Facebook v. Duguid decision, the autodialer definition narrowed to systems that use random or sequential number generation. Most mass-texting platforms still use systems that could qualify, and carrier policies and CTIA guidelines apply regardless of the legal definition. A 10-digit number is not a safe harbor.
What hours can you legally send marketing texts?
The TCPA limits telemarketing calls to between 8 a.m. and 9 p.m. local time at the recipient's location, and the FCC applies the same window to marketing texts. Several states, including California and Florida, match or tighten it. Text at 11 p.m. and you have a clean TCPA violation on top of any consent problem.
What is the National Do Not Call Registry's role in SMS compliance?
The National DNC Registry, run by the FTC at donotcall.gov, covers telemarketing calls and texts to residential and wireless numbers. If a number is on the DNC list, you cannot text it for marketing without specific prior express written consent from that individual. Scrubbing your list against the registry before every campaign is a baseline requirement, not an option.
What happens if I buy leads and the consent is invalid?
You are liable. The TCPA has no bona fide error defense for buying bad leads. Text a consumer without valid consent and you are the sender facing the statutory damages. Your contract with the vendor might give you an indemnification claim, but that does not erase your exposure to the consumer. That is exactly why the FCC's one-to-one consent rule matters so much for lead buyers.
Do non-profits or political campaigns need SMS consent?
Yes. The TCPA applies to political campaign texts and to most nonprofit marketing texts. Narrow exemptions exist for non-commercial calls to landlines from tax-exempt organizations, but texts to wireless numbers require consent regardless of tax status. Political texting campaigns have drawn TCPA suits, and the FCC has not created a blanket exemption for them.
What is the Reassigned Numbers Database and do I need to use it?
The Reassigned Numbers Database (RND) is an FCC-mandated database that tracks when wireless numbers get disconnected and reassigned to new consumers. Carriers submit disconnected numbers monthly. Text a recycled number and the new owner never consented, so you have a violation. The FCC signals that checking the RND before texting is expected practice. Access costs roughly $15 per month for small-volume users as of 2024.
How do I know if my SMS platform is TCPA compliant?
The platform does not make you compliant. Compliance rides on your consent records, your disclosure language, and your suppression list management. What a good platform gives you is infrastructure: automatic STOP handling, consent timestamp logging, DNC scrubbing integrations. Ask any vendor whether they handle STOP keywords in real time, whether they log opt-in timestamps, and whether they offer a suppression list API. If they cannot answer clearly, that is a signal.
What should the opt-out confirmation text say?
It should name you, confirm the opt-out is processed, and tell the person they will get no further messages. Something like: "[Brand]: You've been unsubscribed. No more texts from us. To rejoin text JOIN to this number." That is all. No promotional content, no discount offers, no re-engagement ask. Slipping marketing into the confirmation is its own potential violation.
Sources
- Cornell Law School LII, 47 U.S.C. § 227 - Telephone Consumer Protection Act: TCPA statutory damages of $500 per violation, $1,500 for willful violations; private right of action; applies to autodialed texts
- FCC, 47 C.F.R. § 64.1200 - Delivery restrictions: Prior express written consent definition and requirements for marketing calls and texts, including no-condition-of-purchase clause
- Federal Trade Commission, TCPA Enforcement Actions and Settlements Overview: Papa John's $16.5 million TCPA settlement (2013) and Jiffy Lube $47 million settlement (2016) for marketing texts without proper consent
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA gives California residents the right to opt out of sale of personal information including phone numbers used for marketing
- Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059 F.S.: Florida FTSA (effective July 2021) bans autodialed marketing texts to Florida residents without prior express written consent, with private right of action
- Washington State Legislature, Commercial Electronic Mail Act (CEMA), RCW 19.190: Washington CEMA covers commercial electronic messages including texts sent to Washington numbers
- Cornell Law School LII, 28 U.S.C. § 1658 - Statute of limitations for federal civil actions: Federal statute of limitations for TCPA civil claims is four years
- FTC, National Do Not Call Registry: National DNC Registry covers telemarketing texts to wireless numbers; registered numbers cannot be contacted without specific prior express written consent
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed autodialer definition to systems that use random or sequential number generation, but did not eliminate TCPA coverage of mass SMS platforms