SMS opt-in laws: what every outbound team must know

TCPA requires prior express written consent before marketing texts. Fines hit $500-$1,500 per message. Here's exactly what SMS opt-in law requires in 2026.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Hand holding smartphone on a sunlit desk, representing SMS opt-in compliance
Hand holding smartphone on a sunlit desk, representing SMS opt-in compliance

TL;DR

Federal law (TCPA, 47 U.S.C. § 227) requires prior express written consent before you send a marketing text. That consent has to be in writing, name the sender, disclose the program, and stay optional (not a condition of purchase). Violations run $500 to $1,500 per message. A January 2025 FCC rule now requires one-to-one consent per sender, killing the old lead-gen list-share trick.

What law actually governs SMS opt-in requirements?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, is the federal statute that controls commercial text messages sent with an automatic telephone dialing system or a prerecorded or artificial voice [1]. The FCC writes the implementing rules at 47 C.F.R. Part 64 and has issued a long string of declaratory rulings that spell out how the statute maps onto SMS [2].

For marketing texts, the standard is "prior express written consent." That phrase carries a specific legal meaning from the FCC's 2012 TCPA Omnibus Order: the consumer has to sign an agreement (electronic signatures count) that clearly authorizes the sender to send autodialed or prerecorded marketing calls or texts [2]. A verbal yes does not clear the bar for marketing.

The TCPA is not the only law you answer to. The CAN-SPAM Act is email-only and never touches SMS. But states have piled on. Florida's Telephone Solicitation Act (FTSA), live since July 2021, added a private right of action for texts and reaches some manually dialed messages [3]. Oklahoma, Washington, and others have run similar bills. The patchwork is real, and a clean federal posture does not make you safe in Florida.

Here is the short version. If you text U.S. consumers to sell something, the TCPA is your rulebook, the FCC is your regulator, and your own counsel needs to watch the state pile-on that has been building since 2021.

Prior express written consent is a signed agreement, from the person you plan to text, that clearly authorizes marketing messages sent by autodialer or prerecorded voice. The FCC's 2012 TCPA Omnibus Order set that standard [2]. Under the E-SIGN Act, typing your name in a web form or checking a box counts as a valid electronic signature.

For that consent to hold up in court, the written agreement has to carry four things:

1. A clear and conspicuous disclosure that by signing, the consumer agrees to receive autodialed marketing texts from the specific company. 2. The name of the seller (or sellers) who will text. 3. A statement that consent is not a condition of buying anything. 4. The consumer's phone number.

The "not a condition of purchase" rule trips up a lot of teams. You cannot bundle the opt-in with checkout. A checkout-page box that reads "required to complete purchase" is invalid consent under the TCPA, full stop.

The FCC's 2024 one-to-one consent rule, effective January 27, 2025, added another layer. Consent given to one company cannot be shared with or handed off to a different company [4]. That killed the old move of collecting a single opt-in on a comparison-shopping site and reselling that lead to dozens of marketers. Every sender now needs its own consent from every consumer. If you buy leads, the lead form has to name you.

For a deeper look at building a form that satisfies all of this, see our guide to SMS opt-in form: what it must say and how to build one.

The FCC's Report and Order, adopted in December 2023 and effective January 27, 2025, rewrote the lead-generation rules for text marketing [4]. Before it, a consumer who filled out a comparison-shopping form and checked one consent box could legally be contacted by any "partner" company buried in a disclosure. Plaintiffs' attorneys called them consent farms. The FCC agreed.

The 2025 rule requires consent to be (a) given to one seller at a time, (b) logically and topically related to the website where it is collected, and (c) unbundled from consent to hear from unnamed or vaguely described third parties [4]. The order puts it plainly: "prior express written consent must be from one consumer to one seller, not to a host of sellers" [4].

If you buy aged leads or shared lists, this rule is a direct threat. A list acquired before January 27, 2025 under the old multi-party model may carry no valid consent for your company at all. You either re-consent those contacts through your own opt-in flow or you stop texting them.

For teams running their own forms, the fix is simple. Name your company in the consent language. Do not roll consent across brands or affiliates into one checkbox. Document when and where every consent came in. Tools that log this automatically (timestamp, IP, form version) pay for themselves, because that log is your evidence when someone sues.

See TCPA SMS compliance for how this rule sits inside your broader compliance program.

What are the penalties for texting without proper SMS opt-in consent?

Statutory damages run $500 per text for negligent violations and up to $1,500 per text for willful or knowing ones [1]. The TCPA gives consumers a private right of action, so an individual can sue you without waiting for the FCC to lift a finger [1]. The statute sets no cap. A mass text to a non-consented list can build liability into the millions before a single case ever reaches trial.

Class actions are the real threat. One TCPA class action can bundle hundreds of thousands of $500 claims into a single number. Settlements in big TCPA SMS cases have run from a few million to north of $75 million. The $76 million Capital One settlement in 2014 is still one of the largest on record, and mid-size deals in the $5 to $20 million range happen all the time [5].

The FCC and state attorneys general can bring their own enforcement actions on top of that. The FCC can impose forfeitures of up to roughly $23,727 per violation under its own authority, separate from any private suit [6]. Florida's FTSA carries $500 per text for a first violation and $1,500 for repeats, mirroring the TCPA but with a shorter limitations period and, in some readings, a broader trigger [3].

The TCPA limitations period is four years under 28 U.S.C. § 1658, though a handful of courts have applied two years on a different theory. Assume four years when you assess the risk on an old list. That is the number that hurts.

Violation typeStatutory damages per textWillful multiplier
TCPA negligent$500None
TCPA willful/knowing$500Up to 3x ($1,500)
Florida FTSA first$500None
Florida FTSA repeat$500Up to 3x ($1,500)
FCC forfeiture (agency action)Up to $23,727N/A
TCPA and state SMS violation penalties per text Statutory damages ranges by violation type and jurisdiction TCPA negligent (per text) $500 TCPA willful/knowing (per text) $1,500 Florida FTSA first violation (per… $500 Florida FTSA repeat violation (pe… $1,500 FCC agency forfeiture (per violat… $24k Source: 47 U.S.C. § 227 [1]; Florida Stat. § 501.059 [3]; 47 U.S.C. § 503 [6]

Does the opt-in requirement apply differently to transactional vs. marketing texts?

Yes, and the gap matters in practice. The FCC splits "informational" messages (appointment reminders, order confirmations, two-factor codes, account alerts) from "telemarketing" or "advertisement" messages that push goods or services [2].

For purely informational texts, prior express consent (not written consent) is enough. The consumer just has to have handed you the number in connection with the transaction. A patient who gives a doctor's office their cell for appointment reminders has consented to those reminders under the TCPA.

The line blurs the second you add a sales pitch. An order-confirmation text that tacks on a coupon for next time is almost certainly a marketing message under the FCC's definition, which means you need prior express written consent. Courts and the FCC look at whether the "primary purpose" of the message is informational or promotional [2].

Here is the working rule for outbound teams. If you are texting to sell, assume you need prior express written consent. The transactional carve-out exists for service messages the customer actually asked for. It is not a side door for slipping offers into a receipt.

The opt-in rules for opt-in SMS marketing campaigns cover this split in more detail, including how to write transactional messages that stay on the safe side.

What must every SMS opt-in message or confirmation say?

When a consumer opts into an SMS program, they need a confirmation message. Industry standards, CTIA guidelines (which carriers enforce as a condition of network access), and FCC rules together require that confirmation to include [7]:

  • The program name or brand name.
  • The message frequency ("up to 4 msgs/month" or "recurring messages").
  • A disclosure that message and data rates may apply.
  • Opt-out instructions ("Reply STOP to unsubscribe").
  • Help instructions ("Reply HELP for help").
  • A link to the full terms and privacy policy.

The CTIA's Messaging Principles and Best Practices, updated in 2023, lays all of this out [7]. AT&T, Verizon, and T-Mobile audit messages against these standards and can shut down your short code or toll-free number if you miss them. Being TCPA-clean but CTIA-dirty means your messages may never reach anyone.

The confirmation text is a separate step from the consent itself. Consent gets captured at the form or point of collection. The confirmation goes out right after the first opt-in action to lock in the enrollment and deliver the required disclosures. You need both.

On the keyword path (consumer texts "JOIN" to a short code), the confirmation has to carry all the same elements, because the consumer never saw a web form with written disclosures before hitting send.

For a full template and walkthrough, see our sms opt in guide.

How do opt-out and revocation rules work for SMS?

Consumers can revoke SMS consent at any time, through any reasonable means. The TCPA guarantees that right, and the FCC's 2024 Order made it broad on purpose [1]. A consumer can pull consent by replying STOP, calling your service line, sending a written request, or any other method that puts you on notice they are done [8].

For SMS, the floor is this. STOP (plus common variants like STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT) has to remove the consumer immediately. Carriers enforce this at the network level for short codes. For long codes and toll-free numbers, your platform has to handle it in code.

Once a consumer revokes, you get a short window to stop. The FCC treats 10 business days as a reasonable outer bound for processing [8]. Send one more marketing text after a STOP and you are looking at a willful violation and the $1,500 per-message exposure.

You can send a single confirmation after a STOP that acknowledges the opt-out and leaves a path back ("You've been unsubscribed. Reply START to re-subscribe."). That one message is fine. What you cannot do is argue, drop a "we'd love to keep you" retention pitch, or stall the opt-out to squeeze in one last sell.

Keep your opt-out records as carefully as your opt-in records. If someone opts back in later, you want a clean trail showing the new consent came after the revocation.

Are there different SMS opt-in rules for B2B texting?

Technically yes. The TCPA's private right of action runs to calls and texts to "residential telephone subscribers," and some courts have found that texting a business cell phone falls outside the statute [9]. The practical reality is messier.

Most B2B prospects read your text on a personal cell phone, even if they use it for work. Courts split on whether a phone used for both personal and business calls loses its business-subscriber status. Some have tossed TCPA claims where the plaintiff used the number mostly for business. Others have not. The safe operational stance is to treat every cell phone as potentially covered by the TCPA, no matter where you found the number.

CAN-SPAM does not apply to SMS. The FCC has issued no formal B2B exemption for text the way it has for certain voice calls. CTIA guidelines apply whether your recipient is a business or a consumer.

For international B2B texting to EU residents, b2b lead generation platforms gdpr compliance covers the GDPR layer, which demands its own legal basis apart from TCPA consent.

Bottom line for B2B teams: get a real opt-in anyway. Betting on a B2B exemption a court might reject is not worth the few minutes you save by skipping consent.

In TCPA litigation, the burden of proving valid consent sits on you, the defendant. If you cannot produce the opt-in documentation, courts treat that as no consent at all [5].

At a minimum, your records should capture:

  • The timestamp of the opt-in (date and time, with time zone).
  • The IP address the form was submitted from.
  • The exact consent language shown to the consumer at opt-in (form version or screenshot).
  • The phone number as entered.
  • The source or campaign that drove the opt-in (URL, keyword, QR code).
  • Any later opt-out requests and when you processed them.

This is not a one-and-done archive. You need a system that logs this automatically and stores it so you can pull it fast. Litigation holds land quickly. Courts have sanctioned defendants who could not produce opt-in records because they switched platforms and lost the data.

LeadCompliant's compliance kit includes an opt-in record template and a consent audit checklist that a lot of small teams run as their baseline. Cross-check your consent records against phone validation tools before you send, too, since texting a reassigned number (one that was consented under a previous owner) is a common source of accidental exposure.

For teams on Twilio, see Twilio TCPA compliance: what you actually need to do for platform-specific record-keeping guidance.

Does the National Do Not Call Registry apply to text messages?

The National Do Not Call (DNC) Registry, run by the FTC under the Telemarketing Sales Rule, was built for voice calls and does not, on its own terms, force a separate SMS opt-out mechanism [10]. But the TCPA's own DNC provisions do reach text. Under the TCPA, any residential number on the national registry cannot be called or texted for telemarketing without an existing business relationship or a prior express invitation.

The FTC's TSR covers "telephone solicitations" but has not been read to make text-specific DNC scrubbing a standalone requirement the way it is for voice. In practice, most compliant SMS programs scrub against the registry anyway as a belt-and-suspenders move, even where the SMS-specific rules are unsettled.

The more useful point is your own internal DNC list. The TCPA requires you to keep one and to honor opt-outs from any source (text reply, phone call, web form) inside the required window. Plenty of TCPA class actions are built on internal DNC failures, not national registry failures.

For the full picture on how DNC rules interact with SMS, see TCPA.

What industries face the highest SMS opt-in litigation risk?

TCPA plaintiffs and class action firms hunt high-volume texters. The industries that show up most in TCPA SMS litigation are financial services (debt collection, insurance, mortgage), real estate, retail and e-commerce, healthcare, and education (especially for-profit schools) [5].

Real estate teams carry real exposure because agent-to-consumer texting often leans on informal consent grabbed at an open house or through a referral, with no written record. The TCPA does not care how friendly the relationship feels. See real estate text message marketing for the real estate compliance picture.

Restaurants and local businesses running SMS loyalty programs draw fewer suits in practice, but they are not immune. See sample text message marketing for restaurants for compliant templates.

The common thread across high-risk industries is high volume plus lists bought through third-party lead generation. Put those two together and the class certification math looks great to a plaintiff's attorney: one named plaintiff plus a large texted class equals enormous aggregate statutory damages even at $500 per message.

If you buy leads, re-read the one-to-one consent section above before your next campaign. That is where most of the current risk lives for small outbound teams.

How should a small outbound team actually set up a compliant SMS opt-in process?

Here is what a defensible process looks like in practice, without over-building it.

First, collect consent at the source, in writing. Use a web form with a standalone checkbox (not pre-checked) that reads something like: "By checking this box, I agree to receive marketing text messages from [Your Company Name] at the number provided. Message and data rates may apply. Message frequency varies. Reply STOP to unsubscribe. Consent is not a condition of purchase." That language, plus your company name and a link to your privacy policy, covers the core FCC requirements [2].

Second, log the consent automatically. Use a platform or form builder that records timestamp, IP address, and form version on every submission. Export and store those records somewhere besides the platform itself, because someday you will switch platforms.

Third, send a confirmation text right away. Program name, message frequency, "Msg & data rates may apply," STOP to unsubscribe, HELP for help, link to terms.

Fourth, process opt-outs within one business day. Do not run this by hand. Your sending platform should catch STOP replies on its own. Confirm it does before your first campaign goes out.

Fifth, run your list against your internal DNC before every send. If you buy leads, demand the exact consent language used and confirm your company was named in it.

The text message marketing best practices: the compliance-first guide article goes deeper on the operational side, including list hygiene and platform configuration.

For teams building an initial process, a marketing text message service with TCPA compliance features built in is worth the higher monthly cost over a bare SMS API. The audit trail alone earns it back.

This article is general information, not legal advice. Talk to qualified counsel about your specific situation.

Frequently asked questions

Can I text someone who gave me their number on a paper form?

Yes, if that paper form carried the required TCPA written consent language: your company name, a disclosure that they agree to receive marketing texts, a statement that consent is not required to buy anything, and their signature or initials. A phone number alone on a paper form is not consent for marketing texts. Scan and store the signed form as your evidence.

No. The FCC's 2012 Omnibus Order requires an affirmative act by the consumer. A pre-checked box does not show a voluntary, knowing agreement. Courts have consistently rejected pre-checked boxes as valid TCPA consent. Use an unchecked box the consumer has to actively select, and keep it separate from other terms-of-service agreements.

For informational texts (appointment reminders, account alerts), prior express consent, which can be oral or implied from handing over a number, is enough. For marketing texts, the TCPA and FCC require prior express written consent: a signed agreement, electronic signatures included, that specifically authorizes marketing messages. The distinction matters. Using the wrong consent standard for marketing texts is a common litigation trigger.

The TCPA sets no expiration date on consent, but consent goes stale in practice. If a consumer has had no contact with your business in years, a court might find the consent was effectively revoked by inactivity or that the consumer no longer reasonably expects to hear from you. FCC guidance also ties consent to a specific seller, so an acquisition or brand change can raise questions about whether the original consent still holds.

Yes, it can. The FCC's January 2025 rule requires consent to name a single seller. If your list came from a lead-gen form that bundled consent across several companies, that consent may not be valid for your company going forward. The safe move is to re-consent any list where the original form did not name you. Many legal teams now recommend a re-consent campaign for any list bought from third parties.

Can I send a one-time promotional text to someone who gave consent and then never opted out?

If the original consent was properly obtained (written, named your company, not conditioned on purchase) and the consumer never revoked it, a promotional text is legal under the TCPA. The risk is proving the consent if challenged. Without a documented record of when, where, and how consent was collected, you cannot defend a TCPA claim even if the consent genuinely existed.

What happens if I text a reassigned number whose previous owner consented?

Texting a reassigned number is a known TCPA trap. The FCC set up a one-call safe harbor for voice calls to reassigned numbers, but the protections are limited and courts have handled SMS inconsistently. The FCC's Reassigned Numbers Database lets you check whether a number has been reassigned. Running your list against that database before each campaign cuts your reassigned-number exposure.

Do TCPA SMS rules apply to texts sent from a regular 10-digit long code?

Yes. The TCPA applies when messages go out through an automatic telephone dialing system, whether the number is a short code, a 10-digit long code (10DLC), or a toll-free number. 10DLC registration with carriers is separate from TCPA compliance, and it does not create or replace legal consent. You need valid opt-in consent regardless of the number type you send from.

Political calls and texts to cell phones using an autodialer still require prior express consent under the TCPA. The political and nonprofit exemptions apply only to certain manually dialed calls to residential lines, not to autodialed texts. This catches many advocacy and political organizations off guard. The FCC has enforced it against political campaigns. If you text cell phones with an autodialer for any purpose, you need consent.

What is double opt-in for SMS and is it legally required?

SMS double opt-in means the consumer signs up (single opt-in) and then confirms by replying YES or a keyword to a confirmation text. It is not required under the TCPA, but it builds a stronger consent record because you have proof the consumer controlled the phone at confirmation. Carriers and CTIA guidelines recommend it. For high-risk industries or purchased leads, it is worth doing.

You can collect email and SMS consent on the same form, but each channel needs its own clear disclosure and its own checkbox. A single box that says "I agree to receive marketing communications" is too vague to meet the FCC's TCPA written-consent standard for SMS, because the consumer never specifically authorized autodialed text messages. Keep the SMS consent language separate and specific.

How does Florida's FTSA differ from the TCPA for SMS marketers?

Florida's Telephone Solicitation Act, effective July 1, 2021, created its own private right of action for unsolicited texts and reaches manually dialed calls and texts under some readings, not only autodialed ones. Damages mirror the TCPA at $500 to $1,500 per violation, but Florida courts have read "telephonic sales call" broadly. If you have any volume of Florida recipients, treat every text as if FTSA applies, whatever your dialing method.

What should I do if I receive a TCPA demand letter for SMS violations?

Do not ignore it. Preserve everything immediately: consent documentation, send logs, opt-out records, list sources. Delete nothing. Call a TCPA defense attorney before you respond. Early settlement is common and usually cheaper than litigation, though some demand letters are opportunistic and negotiable. The strength of your defense rides almost entirely on the quality of your consent documentation.

Sources

  1. Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (TCPA full statute text): TCPA provides $500 per violation and up to $1,500 for willful violations; applies to autodialed calls and texts
  2. FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 (2012 Omnibus Order, FCC 12-21): Prior express written consent standard for marketing texts requires signed written agreement, electronic signatures qualify, must not be conditioned on purchase
  3. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA effective July 1, 2021 created private right of action for unsolicited texts; damages $500 to $1,500 per violation
  4. Federal Register, FCC Report and Order on Consent for Text Messages and Robocalls (one-to-one consent rule, effective January 27, 2025): FCC January 2025 rule requires prior express written consent from one consumer to one seller; ends multi-party lead-gen consent aggregation
  5. FTC, Telemarketing Sales Rule (Bureau of Consumer Protection guidance and rule text): TCPA class action settlements have ranged from millions to over $75 million; high-volume texters in financial services, real estate, and education face the most litigation
  6. Cornell Law School Legal Information Institute, 47 U.S.C. § 503 (FCC forfeiture authority): FCC can impose forfeiture penalties per violation under its own enforcement authority, adjusted annually for inflation
  7. Federal Register, FCC Declaratory Ruling and Report and Order on Revocation of Consent (2024): FCC 2024 order affirms consumers may revoke TCPA consent through any reasonable means; companies have 10 business days to process revocation
  8. Cornell Law School Legal Information Institute, 47 U.S.C. § 227(b) (residential subscriber provisions): TCPA applies to residential telephone subscribers; some courts have found B2B cell phone contacts outside TCPA scope but outcome varies by court
  9. FTC, Complying with the Telemarketing Sales Rule (business guidance): National DNC Registry and Telemarketing Sales Rule designed for voice calls; FTC TSR does not create a standalone text-message-specific DNC scrubbing requirement
  10. FCC, Reassigned Numbers Database (program information): FCC Reassigned Numbers Database allows callers and texters to check if a number has been reassigned to a new subscriber to avoid accidental TCPA violations

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit