SMS opt-in form: what it must say and how to build one

A compliant SMS opt-in form needs 6 specific disclosures under TCPA and FCC rules. See real language, common mistakes, and a free checklist.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Person completing an opt-in form on a table in a coffee shop
Person completing an opt-in form on a table in a coffee shop

TL;DR

An SMS opt-in form collects written consent before you text someone for marketing. Under 47 U.S.C. § 227 and FCC rules, it must name your brand, describe the message type, state that consent is not required to buy anything, and include HELP and STOP instructions. Missing any one element exposes you to $500 to $1,500 per text in statutory damages.

What is an SMS opt-in form and why does it matter legally?

An SMS opt-in form is the mechanism, whether a web form, paper card, keyword text, or checkout checkbox, by which a consumer expressly agrees in writing to receive automated text messages from you. That agreement is the legal foundation your entire texting program rests on.

The Telephone Consumer Protection Act (47 U.S.C. § 227) prohibits using an autodialer or predictive dialer to send marketing texts to a wireless number without the recipient's prior express written consent [1]. "Prior express written consent" is a term of art defined in FCC regulations at 47 C.F.R. § 64.1200(f)(9): a written agreement, including electronic signatures, that clearly authorizes the seller to send autodialed or prerecorded messages to the phone number provided [2]. Without that agreement, every single marketing text can be its own independent violation.

The stakes are not abstract. TCPA carries statutory damages of $500 per violation and up to $1,500 per willful violation [1]. Class actions in this space routinely reach eight figures. The plaintiffs' bar has built entire practices around catching companies with defective opt-in forms, and settlements have run into the hundreds of millions of dollars.

The opt-in form is evidence. If you ever face a lawsuit or an FCC complaint, your opt-in record, the form language, the timestamp, the IP address, and the stored consent, is what stands between you and a judgment.

What are the required elements of a TCPA-compliant SMS opt-in form?

The FCC and TCPA do not hand you a fill-in-the-blank template. The required disclosures are still well-established, through the statute, FCC orders, and a decade of class-action litigation. A compliant opt-in form must include all of the following.

1. Clear identification of the sender. The consumer has to know who they are consenting to hear from. Use your legal business name or the DBA consumers recognize. Vague references like "our partners" have been struck down repeatedly.

2. Description of message types. Tell people what they will receive: promotional offers, appointment reminders, order updates, and so on. A form that says only "marketing messages" is defensible but thin. The more specific you are, the more clearly you match the consent to the messages you actually send.

3. Estimated message frequency. You have to disclose roughly how often you will text, for example "up to 4 messages per month" [2]. Carriers and CTIA guidelines both require this, and it feeds directly into your opt-in confirmation message.

4. That consent is not a condition of purchase. The FCC's 2012 order made this mandatory: you cannot condition a sale, service, or other benefit on the consumer's agreement to receive marketing texts [12]. The exact phrase most compliance attorneys use is: "Consent is not a condition of any purchase."

5. HELP and STOP instructions. Consumers have to be told they can text STOP to opt out and HELP for assistance, and given a link or number for support.

6. Message and data rates disclosure. "Msg & data rates may apply" is standard and required. Carriers enforce this at the network level too.

The FCC's 2023 one-to-one consent order, which took effect in January 2025, added another layer: consent obtained through a lead generator must now name the specific seller at the point of opt-in, rather than authorize a broad category of companies [3]. Blanket consent forms that said "you agree to be contacted by our marketing partners" became legally insufficient as of that rule's effective date.

Required elementSourceConsequence if missing
Sender identification47 C.F.R. § 64.1200(f)(9)Consent invalid, each text a violation
Message type descriptionFCC 2012 Report & OrderConsent scope disputed
Frequency disclosureCTIA Messaging PrinciplesCarrier filtering, weaker consent
"Not a condition of purchase"FCC 2012 R&OPer se violation of FCC rule
STOP/HELP instructionsCTIA / carrier requirementsOpt-out failures, escalating damages
Msg & data rates noticeCTIA Messaging PrinciplesCarrier compliance issues
Named seller (post-Jan 2025)FCC 2023 One-to-One OrderConsent invalid for that seller

What does a sample SMS opt-in form actually look like?

Below is language you can model. This is not legal advice, and you should have an attorney review anything before you deploy it. This structure reflects what compliant forms actually contain.

---

Sample opt-in language for a web form checkbox:

"By checking this box and submitting your phone number, you agree to receive recurring automated marketing text messages from [Your Company Name] at the number provided. Consent is not a condition of any purchase. Message frequency varies, up to [X] msgs/month. Msg & data rates may apply. Reply STOP to cancel, HELP for help. View our [Privacy Policy] and [Terms of Service]."

---

Sample keyword opt-in flow (the consumer texts a keyword to join):

Consumer texts JOIN to 55555.

Auto-reply: "[Brand Name]: You're in for exclusive deals, up to 4 msgs/month. Msg & data rates may apply. Reply STOP to opt out, HELP for info."

---

What this language does: It names the sender, describes recurring automated texts, states message frequency, disclaims purchase conditioning, gives STOP and HELP instructions, and links to the privacy policy. That covers every element listed in the previous section.

A few things to notice. The checkbox cannot be pre-checked. Pre-checked boxes do not count as affirmative opt-in for SMS purposes, and courts have consistently held that a consumer who did not actively check a box has not given prior express written consent [4]. The form also must not bundle SMS consent with terms of service acceptance on the same checkbox, because the FCC requires a separate, unambiguous agreement for marketing texts.

For a deeper look at how consent language varies by channel, see sms opt in for channel-specific guidance and sms opt-in requirements for the full regulatory breakdown.

TCPA SMS violation damages at a glance Statutory per-message exposure under 47 U.S.C. § 227 $500 Standard statutory damages… text $1,500 Willful violation damages p… text $925M ViSalus class judgment (tot… Source: 47 U.S.C. § 227 and Wakefield v. ViSalus (9th Cir. 2021)

The FCC's December 2023 Report and Order on one-to-one consent went into effect on January 27, 2025 [3]. It changed how lead generation opt-in forms work, and if your form was drafted before 2025, you almost certainly need to update it.

The old practice was simple. A comparison website or lead generator would include language like "you agree to be contacted by up to [X] partners about [topic]." Consumers technically consented, but they had no idea which specific companies would be calling or texting. The FCC called this the lead generation loophole and closed it.

Under the 2025 rule, prior express written consent for marketing texts has to go directly to the specific company that will send the messages, not to a category of companies, not to unnamed partners, and not via a form that passes consent downstream to whoever bought the lead [3]. The order also requires that consent be logically and topically associated with the website where it is collected. A mortgage site cannot pass consent to a car insurance company.

For outbound sales teams who buy leads: you now need to verify that the consent collected at the lead source named your company by name, and was given on a page topically related to what you sell. Buying a list and texting it without that verification is a willful violation under the new rule, which pushes per-message damages toward the $1,500 ceiling.

For lead generators: your opt-in forms have to list each specific company the consumer is consenting to hear from, with a working hyperlink to each company's privacy policy. The days of "and up to 20 marketing partners" are over.

Stay current on enforcement as this rule beds in at tcpa news today.

What happens if your SMS opt-in form is missing a required disclosure?

A missing disclosure does more than make your form slightly noncompliant. It can mean you have no valid consent at all, and every text you send without valid consent is an independent TCPA violation.

Here is how the exposure compounds. Say you send one promotional text per week to a list of 10,000 people whose consent forms lacked the "not a condition of purchase" language. Over six months, that is roughly 240,000 texts. At $500 per text, that is $120 million in potential statutory damages before any willfulness multiplier. Class actions have been certified on far less.

Court outcomes make the point. Salcedo v. Hanna (11th Cir. 2019) addressed standing in single-text cases [5]. Wakefield v. ViSalus (9th Cir. 2021) involved a $925 million judgment tied to roughly 1.8 million calls and texts made after consent was arguably revoked [6]. The risk is not hypothetical.

The FCC also has independent enforcement authority. Under 47 U.S.C. § 227(b)(1), it can issue forfeiture orders separate from private lawsuits. The agency levied a $299 million forfeiture against a single robocall operation in 2023 [7]. Enforcement appetite is real.

Here is the practical reality. If a plaintiff's attorney sends you a demand letter, the first question from the defense side is always: can we produce the signed opt-in record? If the answer is no, or if the form language is defective, settlement becomes the rational choice fast. A defective form turns a winnable defense into an expensive settlement.

Web form vs. keyword opt-in vs. paper form: which is the most defensible?

Each opt-in method has different evidence advantages and risks. There is no universal best method. The right one depends on your channel and your ability to store records.

Web form opt-in is the most defensible for digital acquisition because you can log timestamp, IP address, form version, user agent, and page URL at the moment of submission. That creates an auditable consent record you can produce in litigation. The risk is form abandonment if the disclosure language feels long, and the temptation to bury it in fine print, which courts and the FCC do not accept.

Keyword opt-in (consumer texts a word to a short code) is strong because the consumer initiates contact from their own device. The carrier logs the inbound message. The risk is that your auto-reply confirmation has to contain all required disclosures, and many companies send confirmation messages that are too thin.

Paper form opt-in is common in retail, healthcare, and real estate. It works legally but creates a storage and retrieval problem. You need a process to digitize and archive these records so you can produce them years later if needed. A signed paper form you cannot find when sued is nearly worthless.

Checkout flow opt-in (an e-commerce checkbox at purchase) is convenient for the consumer but legally risky if the checkbox is bundled with terms acceptance, pre-checked, or placed where it could be missed. Courts have found that low-contrast, small-font opt-in language near a "place order" button does not count as clear and conspicuous disclosure [4].

For tcpa sms compliance purposes, the gold standard is a web form with server-side timestamp logging, paired with a double opt-in confirmation text. Sms double opt in adds a second confirmation step that is close to bulletproof evidence of consent.

How long do you need to keep SMS opt-in records?

The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658, and some state analogs run longer. California's UCL claims can sometimes reach back further under tolling arguments. The practical answer: keep opt-in records for at least five years, and longer if you are in a state with aggressive consumer protection laws.

What you store has to be more than "they checked a box." A defensible consent record includes the exact form language shown at the time of opt-in (version-controlled), the timestamp and timezone, the IP address, the phone number as submitted, and the referring URL. If you update your opt-in form language, archive the old version with a date range so you can reconstruct what any given consumer actually saw.

Many SMS platforms store consent metadata alongside the contact record. If yours does not, your CRM or a dedicated consent management system needs to fill that gap. Losing consent records in a database migration or platform switch is a common and expensive mistake. Build an export and backup cadence before you need it.

The FCC's 2023 one-to-one order also assumes that sellers who receive leads can demonstrate that the consent they relied on actually named them. That means you need to retain more than your own opt-in records. You need records of where and how you received any third-party consent [3].

Can you use a single opt-in form for multiple brands or product lines?

No, not under post-2025 FCC rules, and this is the question that trips up holding companies, franchises, and multi-brand retailers most often.

If you operate three brands, a consumer opting in to brand A's texts cannot legally be sent texts from brand B, even if both are owned by the same parent company, unless the opt-in form specifically named brand B and the consumer affirmatively consented to that brand's messages. The FCC's one-to-one consent framework was designed to prevent exactly this daisy-chaining [3].

Some companies try to work around it by listing all affiliated brands in fine print at the bottom of the form. That is legally questionable and unlikely to survive scrutiny. If brand B is not prominently identified as a sender on the form, a court or the FCC will likely find consent to brand B's texts was never obtained.

For multi-location businesses like franchise systems, each franchisee that runs its own SMS program typically needs its own consent, unless the franchisor runs a single consolidated program under one brand identity. Run a franchise or dealer network? This one is worth a legal opinion.

What does a compliant opt-in confirmation text need to say?

When a consumer completes your opt-in form, your first outgoing text, the confirmation, has to work as a standalone disclosure. Do not assume the consumer still has your form in front of them.

A CTIA-compliant confirmation text includes [8]: your brand name, confirmation that they opted in, message frequency, a message and data rates disclosure, STOP to opt out, and HELP for help. Many platforms format it like this:

"[Brand]: Thanks for joining! You'll get up to 4 msgs/month. Msg & data rates may apply. Reply STOP to opt out, HELP for help."

That is 160 characters, which fits a single SMS segment. Keep it under 160 characters when you can to avoid multi-part message billing and formatting issues on older devices.

The confirmation text is also your last practical chance to catch wrong numbers before you build a texting relationship. If someone texts back "wrong number" or "who is this," treat that as an immediate opt-out and suppress the number. Texting someone who has told you they are not the intended recipient, after that notice, is a willful violation.

How do SMS opt-in rules differ for B2B versus consumer marketing?

The TCPA's prior express written consent requirement applies to calls and texts to wireless numbers [1]. It does not distinguish between B2B and B2C contacts based on the purpose of the message. If you are texting a cell phone, the TCPA applies, period.

The practical risk profile is different, though. B2B contacts are less likely to file TCPA class actions, and some courts have been more skeptical of TCPA standing for business-purpose texts. But no court has established a clear B2B exemption for texts, and the FCC has not created one. Several district courts have allowed B2B TCPA claims to proceed [9].

The safer position is to treat any text to a cell phone as requiring prior express written consent, regardless of whether the recipient is a business contact or a consumer. If your contacts are providing a mobile number on a business form, you can include an opt-in checkbox in that form. The disclosure language can be professional in tone, but the substantive requirements are the same.

For companies doing outreach to business contacts, b2b lead generation platforms gdpr compliance covers the intersection of GDPR and TCPA for international prospect lists, which matters if your list has EU contacts mixed in.

LeadCompliant's free TCPA tools include a consent language checker that flags missing disclosures in your current opt-in form. Worth running on any form before your next campaign launch.

What is the difference between opt-in for transactional texts vs. marketing texts?

The TCPA distinguishes between prior express consent (lower bar, allows informational and transactional texts) and prior express written consent (higher bar, required for marketing texts) [2]. Getting this distinction wrong is a common and expensive mistake.

Transactional texts include appointment reminders, order confirmations, shipping updates, and fraud alerts. For these, you need prior express consent, which can be implied from the consumer providing their phone number in a transactional context. You do not need the full written consent disclosure block.

Marketing texts, meaning anything that promotes a product, service, or commercial offer, require prior express written consent with all the disclosures covered above. A text that says "your package shipped" is transactional. A text that says "your package shipped, and here's 20% off your next order" is marketing. Mixing marketing content into a transactional message requires written consent.

This distinction shapes form design. If you collect a phone number for appointment reminders and then start sending promotional texts to the same number, you likely do not have valid consent for those promotional texts. You need a separate, affirmative opt-in for the marketing program.

The line between transactional and promotional can get genuinely blurry. A password reset text is clearly transactional. A "we noticed you left items in your cart" text is almost certainly promotional under FCC interpretation, even though it references a prior transaction. When in doubt, get written consent.

How do state laws layer on top of federal TCPA opt-in requirements?

The TCPA sets a federal floor. States can and do add requirements on top of it, and since 2020 the trend has been toward stricter state laws, not looser ones.

California's Automatic Renewal Law (ARL) requires that any offer involving a subscription or free trial, which often includes SMS programs with exclusive offers, carry affirmative consent that is clearly and conspicuously disclosed before purchase [10]. California also has the CPRA/CCPA, which adds opt-in requirements for selling personal data, and mobile numbers are personal data.

Florida's Telephone Solicitation Act (FTSA), amended in 2021, created a private right of action for automated texts sent without prior express written consent that is stricter in some respects than federal TCPA requirements [11]. Florida plaintiffs do not have to prove use of an ATDS under the same definition federal courts use, which broadens exposure.

Texas, Washington, and Oklahoma have their own mini-TCPA or telemarketing laws with varying consent requirements. Washington's CEMA applies to commercial electronic messages including texts and has its own opt-out requirements.

The practical implication: if your list includes consumers from multiple states, design your opt-in form to the strictest applicable standard. California and Florida consumers warrant the most careful form language. For state-specific detail, tcpa sms compliance covers state law layering in more depth.

How do you handle opt-out and make sure it feeds back to your opt-in records?

Opt-out is the other side of the opt-in record, and it matters just as much. The TCPA and FCC rules require you to honor opt-out requests immediately upon receipt [2]. Texting someone even once after they have sent STOP, or any reasonable variation like UNSUBSCRIBE, QUIT, or CANCEL, can be a willful violation.

Your SMS platform should handle STOP replies automatically at the carrier and aggregator level. But platform-level suppression is not enough if you also maintain a CRM list or export contacts to other tools. You need a process, ideally automated, that propagates opt-outs from your texting platform to every other system that might trigger a text to that number.

Common failure modes: you honor STOP in your SMS tool but the contact stays active in your email platform, and that platform has a text integration that fires anyway. Or someone opts out in month one, you rebuild your audience list in month four from a CRM export that predates the opt-out, and you text them again. Both generate willful violation exposure.

Store opt-out records with the same care as opt-in records. The timestamp of the STOP reply and the suppression action taken is evidence you need if a plaintiff claims they were texted after opting out.

For a complete look at building the texting infrastructure around compliant opt-in, marketing text message service covers vendor selection, and text message marketing software reviews what to look for in platform-level compliance features.

Frequently asked questions

Does an SMS opt-in form need to be a separate form, or can it be part of a general sign-up?

It can be part of a general sign-up, but the SMS consent has to be a separate, affirmative checkbox. It cannot be bundled with terms of service acceptance on a single checkbox, and it cannot be pre-checked. The FCC requires a clear and conspicuous disclosure specifically for the automated text message program. A general email sign-up does not transfer consent to SMS texting.

Is a verbal opt-in over the phone enough for SMS marketing?

No. Marketing texts require prior express written consent under 47 C.F.R. § 64.1200(f)(9), which means a physical or electronic signature. A verbal agreement recorded on a call does not meet the written consent standard. Some companies follow up a verbal agreement with a text-based opt-in flow where the consumer replies YES, which can work, but the verbal call alone is legally insufficient for marketing texts.

What does "clear and conspicuous" disclosure mean for an SMS opt-in form?

The FCC has interpreted clear and conspicuous to mean a reasonable consumer would notice and understand the disclosure without searching for it. In practice: the disclosure appears near the phone number field, not buried in a footer or a separate linked terms page, in a readable font size and contrast. Courts have struck down disclosures that appeared only in light-gray text beneath a submit button.

Can I use a purchased lead list if the leads opted in to receive texts from "marketing partners"?

Not after January 27, 2025. The FCC's one-to-one consent rule requires that the opt-in form specifically name your company as a sender. Blanket consent to unnamed marketing partners is no longer valid for TCPA purposes. If you buy leads, you need documentation showing the consumer's opt-in form named your business specifically, or you are texting without valid consent.

How is opt-in for text messages different from opt-in for email?

Email opt-in is governed by CAN-SPAM, which does not require prior consent, only an unsubscribe mechanism. SMS opt-in is governed by the TCPA, which requires prior express written consent before you send any marketing text. The consent standard for SMS is much stricter, and the damages exposure, $500 to $1,500 per text, is far higher than CAN-SPAM penalties on a per-message basis.

What phone number types do SMS opt-in requirements apply to?

TCPA opt-in requirements apply to text messages sent to wireless numbers, which is almost every cell phone number. The TCPA originally applied to calls to wireless numbers, and FCC interpretations extend the framework to text messages sent via autodialer to the same numbers. Business landlines that receive texts fall into a grayer area, but most compliance programs treat all cell numbers as requiring prior express written consent.

Do I need a double opt-in for SMS, or is single opt-in enough?

Single opt-in, where the consumer submits a web form or checks a box, is legally sufficient under the TCPA if the form contains all required disclosures. Double opt-in, where you also send a confirmation text requiring a reply, is not legally required but creates much stronger evidentiary proof of consent. Given the litigation risk, double opt-in is worth the small friction cost, especially for high-volume programs.

What should my SMS opt-in confirmation text say?

Your confirmation text should include your brand name, acknowledgment that they opted in, estimated message frequency, message and data rates disclosure, and STOP and HELP instructions. A compliant example: "[Brand]: You've joined for deals, up to 4 msgs/month. Msg & data rates may apply. Reply STOP to opt out, HELP for help." Keep it under 160 characters if possible to avoid multi-part message issues.

Can a real estate agent or broker collect SMS opt-in through a property inquiry form?

Yes, as long as the form includes all required TCPA disclosures at the point the consumer enters their phone number. The consent has to be logically related to real estate services, and under post-2025 FCC rules, it must name the specific agent or brokerage as the sender. A generic "be contacted by agents" checkbox is no longer sufficient. See real estate text message marketing for industry-specific guidance.

How often do I need to update my SMS opt-in form?

Review your form any time the FCC issues a new rule or order affecting consent, any time you change the types of messages you send, any time you add a new brand or seller to your program, or any time case law in your circuit shifts the standard. At minimum, do an annual review. Archive every version of your form with the date range it was in use, so you can reconstruct what any given consumer saw.

You need to retain the exact form language shown at opt-in (version-controlled), the timestamp and timezone, the consumer's IP address, the phone number as submitted, and the referring URL. For keyword opt-ins, retain the inbound message log. For paper forms, digitize and archive them. Keep all records for at least five years given the TCPA's four-year statute of limitations plus a safe margin.

Are there industry-specific SMS opt-in rules I should know about?

Healthcare providers layer HIPAA considerations on top of TCPA when texting about protected health information. Financial services firms face additional CFPB guidance on consumer contact. Cannabis businesses face carrier-level restrictions that make compliant SMS programs difficult regardless of opt-in quality. Restaurants and retailers generally follow standard TCPA rules. See sample text message marketing for restaurants for a sector example.

Does the TCPA apply to texts sent from a regular business cell phone, not an autodialer?

This is genuinely contested. Under Facebook v. Duguid (2021), the Supreme Court narrowed the definition of autodialer to systems that use a random or sequential number generator. Manual texts from a regular phone fall outside that narrowed ATDS definition at the federal level. Some state laws, notably Florida's FTSA, use a broader definition. And platforms that send individually triggered but automated texts still raise ATDS questions.

What is the LeadCompliant compliance kit and does it cover SMS opt-in forms?

LeadCompliant offers a one-time compliance kit and free TCPA checkers at leadcompliant.com. The tools include consent language review for opt-in forms, DNC scrubbing guidance, and TCPA basics documentation. The kit is designed for small outbound teams who need a practical starting point without paying for a full legal audit on day one. It supplements but does not replace qualified legal counsel for your specific program.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed marketing texts to wireless numbers without prior express written consent; statutory damages are $500 per violation and up to $1,500 for willful violations
  2. FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the TCPA: Defines prior express written consent, requires frequency disclosure, prohibits conditioning consent on purchase, and mandates STOP/HELP instructions
  3. FTC, Dot Com Disclosures: How to Make Effective Disclosures in Digital Advertising: Pre-checked boxes and low-contrast disclosures do not constitute clear and conspicuous consent under federal consumer protection standards
  4. Salcedo v. Hanna, 11th Circuit Court of Appeals, 2019: 11th Circuit addressed Article III standing requirements for single-text TCPA claims, illustrating judicial treatment of one-message violations
  5. Wakefield v. ViSalus, 9th Circuit Court of Appeals, 2021: Resulted in a $925 million TCPA judgment for approximately 1.8 million automated calls and texts made without adequate consent
  6. Facebook, Inc. v. Duguid, U.S. Supreme Court, 2021 (No. 19-511): Supreme Court narrowed ATDS definition to systems using random or sequential number generators, affecting B2B and manual texting TCPA analysis
  7. California Legislative Information, Automatic Renewal Law (Business & Professions Code § 17600 et seq.): California ARL requires clear and conspicuous disclosure and affirmative consent for any auto-renewing subscription offer, including SMS programs tied to promotions
  8. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Section 501.059, Florida Statutes: Florida FTSA as amended in 2021 creates a private right of action for automated texts without prior express written consent using a broader ATDS definition than federal law

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit