SMS opt-in meaning: what it is, why it matters, and how it works

SMS opt-in means a person gave prior express written consent to receive texts. Understand the legal definition, TCPA requirements, and what records to keep.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-10

Person holding a smartphone at a kitchen counter considering an SMS opt-in decision
Person holding a smartphone at a kitchen counter considering an SMS opt-in decision

TL;DR

SMS opt-in means a consumer affirmatively agreed to receive text messages from a specific sender before those messages were sent. Under the TCPA (47 U.S.C. § 227), marketers need prior express written consent before sending promotional texts. Without a documented opt-in, each message can cost $500 to $1,500 per violation. The consent must be voluntary, clear, and tied to a specific sender.

What does SMS opt-in mean, exactly?

SMS opt-in means a person took an action, a form submission, a keyword text, a checkbox click, that gave a specific business permission to send them text messages. The word 'opt' means to choose. The person chose in. They were not added to a list by default, they were not pre-checked into anything, and they were not consenting to texts from an entire industry of companies. The permission is specific.

For marketing texts, federal law requires "prior express written consent." That phrase comes from the TCPA, 47 U.S.C. § 227 [1], and the FCC regulations interpreting it at 47 C.F.R. § 64.1200 [2]. "Written" does not mean paper. The FCC has confirmed that electronic signatures and web form submissions qualify. But the consent has to be a clear, affirmative act. A pre-filled checkbox, a buried disclosure in a terms-of-service footer, or consent hidden inside an unrelated contract does not cut it.

The opt-in is also not a one-time formality you can stretch. If someone opted in to receive appointment reminders from your dental office, that consent does not cover promotional discount texts. The scope of the consent limits what you can send. This matters a lot in practice because many businesses collect one opt-in and then send three different types of messages, which is exactly the fact pattern courts have picked apart in TCPA cases.

For a full breakdown of how opt-in fits into the broader regulatory picture, see TCPA SMS compliance.

The TCPA itself, at 47 U.S.C. § 227(b)(1)(A), prohibits making calls or sending texts using an automatic telephone dialing system or prerecorded voice to a cellular number without "prior express consent" of the called party [1]. The word "written" gets added for marketing messages through FCC rulemaking. The FCC's 2012 order (FCC 12-21) tightened the standard for telemarketing texts specifically, requiring prior express written consent [8].

What does "prior express written consent" require in practice? The FCC's rules at 47 C.F.R. § 64.1200(f)(9) define it as an agreement that: (1) bears the signature of the person (including electronic signatures), (2) clearly authorizes the seller to send autodialed or prerecorded texts to a specific phone number, (3) discloses that consent is not a condition of purchase, and (4) states what the person is agreeing to receive [2].

That fourth element trips up a lot of teams. Saying "by submitting this form you agree to receive communications" is too vague. The disclosure needs to describe the type of messages (marketing texts, appointment reminders, order updates), and it needs to name or clearly identify the sender.

The FCC issued a big update in its 2024 one-to-one consent order, which requires that consent be given specifically to the seller sending the messages, not to a lead aggregator or partner list. Buy leads that opted in on a third-party website, and that consent does not cover your texts to them under the post-2024 rules [3]. See TCPA news today for current enforcement updates.

What are the different types of SMS opt-in methods?

There are four main ways a consumer can opt in, and each one carries different documentation demands.

Keyword opt-in. The consumer texts a keyword (like "JOIN" or "YES") to a short code or long code number. This one is clean because the consumer's own phone number is the proof of action. You have a timestamped inbound message. It is one of the easier consent records to keep.

Web form opt-in. The consumer submits a form on your website or landing page that includes an SMS consent disclosure and, ideally, an unchecked checkbox. Your server logs the IP address, timestamp, and form submission data. You need to preserve these logs. Retention is not optional if you want to defend a TCPA claim.

Point-of-sale opt-in. The consumer fills out a paper or tablet form at a physical location. The challenge here is digitizing and storing that record. A scanned form with a timestamp works, but many businesses lose these or never digitize them.

Double opt-in. After the initial sign-up, you send a confirmation text asking the consumer to reply to confirm. Only after they confirm do you start sending campaign messages. This is the most defensible method because you have two records: the initial sign-up and the confirmation reply. Learn more at SMS double opt-in.

None of these methods is bulletproof on its own. What makes any method defensible is the combination of the method and your record-keeping. A keyword opt-in with no log retention is nearly as vulnerable as no opt-in at all if you end up in litigation and cannot produce the record.

Opt-in MethodProof of ConsentRisk LevelBest For
Keyword textInbound message logLowHigh-volume campaigns
Web formServer logs, IP, timestampLow-MediumE-commerce, SaaS
Paper/POS formPhysical or scanned docMedium-HighRetail, restaurants
Double opt-inTwo-step confirmation logVery LowAny, especially high-risk lists
TCPA SMS violation exposure at a glance Key thresholds and damages under 47 U.S.C. § 227 $500 Per-text penalty (negligent… $1,500 Per-text penalty (willful v… $4 Statute of limitations (yea… $4 Minimum opt-in disclosure e… required by FCC Source: U.S. Code, 47 U.S.C. § 227 (Cornell LII)

What does opt-in mean for your mobile number specifically?

Opt-in on a mobile number means you are granting permission tied to that specific phone number, not to your name or email address. This matters because phone numbers get reassigned. The FCC operates a Reassigned Numbers Database that tracks numbers reassigned to new subscribers [4]. If you have an old opt-in record tied to a number that was reassigned after the original subscriber opted in, the new subscriber never gave you consent. Texting that reassigned number is a TCPA violation even if your records show a valid opt-in.

This is one of the less-discussed practical problems with SMS lists. A person opts in, cancels their phone plan, and six months later someone else has their old number. Your database still shows a valid consent record. Checking against the FCC's Reassigned Numbers Database before sending is one way to cut this risk, though the database has coverage gaps [4].

The opt-in attaches to the number, not to the device or carrier. Port a number to a new carrier, and the opt-in follows the number. Replace a phone but keep the number, and the opt-in still holds. The consent rides with the number itself.

For businesses building opt-in forms, see SMS opt-in form for what to include in the disclosure language.

What information must your opt-in disclosure include?

This is where a lot of teams get it wrong. They collect a phone number and add a vague line like "Message and data rates may apply." That line is necessary but nowhere near enough for TCPA purposes.

A legally defensible opt-in disclosure needs to include: the name of the company sending messages, a clear description of the type of messages the consumer will receive, the approximate frequency ("up to 4 messages per month" is the common phrasing), a statement that consent is not required to purchase goods or services, and instructions for how to opt out (typically "Reply STOP to cancel").

The "not a condition of purchase" language comes directly from the FCC's rule at 47 C.F.R. § 64.1200(f)(9) [2]. It has to be there. You cannot tie SMS consent to account creation or checkout completion without breaking this requirement.

The Cellular Telecommunications Industry Association (CTIA) also publishes messaging guidelines that most carriers enforce as a condition of using their networks [5]. CTIA guidelines require that opt-in confirmations include the program name, message frequency, the STOP and HELP keywords, and the "Msg & data rates may apply" line. Carriers actively audit short code programs for these disclosures, and non-compliant programs get suspended.

For real-world examples of how restaurants and retail businesses structure this, sample text message marketing for restaurants shows the full disclosure language in context.

What is the difference between opt-in and opt-out in SMS?

Opt-in is the affirmative act of giving consent before messages start. Opt-out is the act of withdrawing that consent after messages have started. Both matter legally, and the rules are asymmetric.

The TCPA does not spell out an exact opt-out mechanism for every scenario, but the FCC's rules and industry practice require that you honor opt-out requests promptly. "Promptly" in practice means within the next send cycle, and many platforms interpret that as honoring the opt-out before any subsequent message goes out [2]. Ignoring an opt-out request and continuing to send texts is a separate and additional TCPA violation layered on top of any existing consent problems.

The standard opt-out keywords are STOP, QUIT, CANCEL, END, and UNSUBSCRIBE. Most SMS platforms handle these automatically. Carriers also enforce that programs honor STOP universally [10].

Some businesses assume that an opt-out ends all contact. It ends contact for that specific program or message type. You can re-market to that person through other channels (email, direct mail) if you have separate consent for those channels. You can also offer a new, voluntary opt-in through a different channel, as long as you do not send the opt-in offer by text to a number that has opted out.

One more nuance: operational texts (appointment reminders, order confirmations, fraud alerts) are sometimes held to a different standard than marketing texts. The TCPA's consent requirement bites hardest on marketing content. Purely transactional messages to a number you have an existing business relationship with sit in a gray zone that courts have treated inconsistently. Nobody has really clean data on where that line sits. The safest approach is to collect explicit consent for any text program regardless of content type.

What happens if you text someone without a valid opt-in?

The TCPA gives consumers a private right of action. There is no requirement to complain to the FCC first. A person who received an unwanted text can file a lawsuit directly, and many do, sometimes as part of class actions [9].

The statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations [1]. One text to one person is one violation. A campaign that sends one text to 100,000 people without valid consent is 100,000 violations. At $500 each, that is $50 million in potential statutory damages before any class multipliers.

Class actions are the real exposure. Because the TCPA allows statutory damages without proof of actual harm, class certification is relatively easy. Plaintiffs' attorneys can bring large classes of people who received the same message without valid consent. Several companies have settled for eight and nine figures: Papa John's settled a TCPA class action for $16.5 million, and Domino's settled one for $9.75 million, both involving text message consent issues [6].

The FCC can also impose forfeitures independent of private lawsuits, though in practice most TCPA SMS enforcement comes through private litigation rather than agency action.

This is not a theoretical risk. TCPA litigation is one of the most active areas of consumer class action practice in the country. A small team sending 10,000 texts to a purchased list without verified opt-ins is genuinely exposed to a lawsuit within months of launch. See TCPA for a broader overview of the statute and its enforcement history.

How long does an SMS opt-in last, and does it expire?

The TCPA does not set a hard expiration date for consent. A valid opt-in does not automatically expire after 30 days or 12 months. That does not mean old consent records are risk-free.

Courts have looked at the circumstances of consent when weighing staleness. If someone opted in two years ago, received no messages, and then suddenly gets a promotional text, the argument that the consent was abandoned or no longer reflects the consumer's intent has some traction, even if it has not been adopted consistently across circuits. The safer position is to re-engage old subscribers before texting them after a long gap.

Consent does expire in practice in a few specific situations. Materially change the nature of your program (you collected consent for appointment reminders and now want to send promotional offers), and that original consent does not cover the new message type. If the phone number has been reassigned, the consent held by the original subscriber does not transfer to the new one [4]. And once a person opts out, the consent is permanently revoked until they voluntarily opt back in through their own action.

Reasonable practice for most teams: treat consent as active for 18 to 24 months from the last interaction, scrub reassigned numbers before every major campaign, and recollect consent if your program type changes significantly. That is not a legal bright line. It is a risk management posture.

What records do you need to prove a valid SMS opt-in?

In any TCPA dispute, the burden effectively shifts to you to prove consent. You need to produce a record that shows who opted in, when they opted in, what they were told at the time, and on what device or channel the opt-in happened.

The minimum set of records for a web form opt-in: the IP address of the submission, a timestamp accurate to at least the minute, a copy of the exact form or page as it appeared at the time of consent (a screenshot or version-controlled archive), and any confirmation text sent in response. For a keyword opt-in: the inbound text log with timestamp and originating number, plus the confirmation text your system sent back.

Storing these records only in your SMS platform is a single point of failure. Platforms get acquired, go down, or delete historical data. Export your consent records to your own storage regularly.

Retention period: the TCPA statute of limitations is four years under 28 U.S.C. § 1658 [7]. Keep consent records for at least five years to have a buffer. Some state laws carry longer statutes of limitations for related claims, so check the states where you operate.

LeadCompliant's free compliance kit includes a consent record checklist and templates for web form disclosure language, which is a practical starting point if you are building this infrastructure from scratch.

For businesses choosing a platform, text message marketing software has a comparison of platforms and what consent logging they provide.

Does SMS opt-in meaning differ for B2B versus B2C contacts?

This is one of the more genuinely uncertain areas of TCPA law, and anyone who gives you a clean confident answer in either direction is oversimplifying.

The TCPA's restrictions on autodialed or prerecorded calls and texts to cell phones apply regardless of whether the recipient is a consumer or a business professional. The statute applies to the phone number, not to the person's role. Text a salesperson's cell phone, even if that number is listed on a business card, and you still need consent under the TCPA [1].

That said, courts have sometimes found that providing a cell number in a business context (on a business card, in an email signature, on a company website) counts as implied consent to be contacted at that number for business purposes. This is not settled doctrine and the case law is genuinely mixed. The FCC has also not issued a clear exemption for B2B texts the way it has for some B2B calls in specific circumstances.

Practical takeaway: do not assume B2B contacts are exempt from TCPA. Collect express written consent where you can. If your sales team is texting prospects' cell phones through a platform with auto-dialing capabilities, you need consent just as you would for a consumer campaign. For more on how this plays out, B2B lead generation platforms GDPR compliance covers the overlapping consent requirements across frameworks.

See also lead generation compliance news for recent enforcement actions that touch B2B scenarios.

How does SMS opt-in work for real estate and other regulated industries?

Some industries carry compliance layers on top of the TCPA. Real estate is a good example. Agents and brokerages texting leads from listing inquiries, open house sign-ins, or purchased prospect lists face the same TCPA requirements as any other marketer. A person who fills out a form on Zillow to see a property may have consented to Zillow's communications, but that consent does not automatically transfer to the individual agent or brokerage who buys or receives that lead.

The FCC's 2024 one-to-one consent rule speaks to this directly. Lead aggregators can no longer collect one broad consent and resell or distribute it to multiple companies [3]. Each company that wants to text a lead needs its own specific consent from that lead.

For real estate teams specifically, see real estate text message marketing for disclosure language and opt-in flow examples that address the industry's specific lead sources.

Healthcare, financial services, and insurance add their own regulatory layers (HIPAA for health, state insurance regulations, FINRA for securities). In those industries, SMS consent has to comply with the TCPA and whatever sector-specific rules govern the content of the messages. A healthcare provider sending appointment reminders has a different consent architecture than one sending promotional wellness offers.

For any regulated industry, the safest approach is to collect express written consent specific to your organization, retain the records, and document the consent scope clearly.

The FCC's 2024 Report and Order (FCC 23-107) made a big change to how consent obtained through comparison shopping websites and lead generation forms works [3]. Before this rule, a single opt-in on a multi-partner website could be used to justify texts from dozens of companies listed as "marketing partners."

The 2024 rule requires that consent be obtained specifically for each seller. A consumer filling out a form to get a mortgage quote can consent to receive texts from Lender A or Lender B, but they have to make that choice explicitly. A blanket consent covering any company in the mortgage industry does not satisfy the rule.

The rule also requires that the consent be logically and topically related to the website where it is collected. Someone on a car insurance comparison site cannot have their consent stretched to cover texts about home security systems.

The practical implication for most small outbound teams: if you are buying leads from any third-party source, you need to understand exactly what consent language that source used and whether it specifically named your company. If it did not, you do not have valid TCPA consent for those leads under the current rules. Many lead vendors are still operating under pre-2024 consent models. Verify before you text.

The CTIA messaging guidelines also continue to apply on top of all this, enforced at the carrier level [5].

Frequently asked questions

What does opt-in mean for SMS in plain English?

It means a person actively chose to receive text messages from you before you sent them. They took some action, texted a keyword, checked a box, filled out a form, that signaled their agreement. They were not added to your list automatically, and they were not opted in by default. The choice was theirs, and it has to be documented.

Is a verbal opt-in enough to legally send marketing texts?

No. The FCC's rules require prior express written consent for marketing texts, and "written" means a documented signature or electronic equivalent. A verbal agreement over the phone is not sufficient. You need a record showing the person agreed, what they were told, and when it happened. Verbal consent may cover some non-marketing transactional texts in limited circumstances, but it is not a safe foundation for any text campaign.

Can I text someone who gave me their number on a business card?

Probably not safely for marketing purposes. Giving you a business card shows willingness to be contacted generally, but courts have not consistently held that it counts as prior express written consent for autodialed marketing texts under the TCPA. If you are using a platform that qualifies as an ATDS, you need proper written consent even for business contacts. One-to-one manual texts to a new contact fall in a different category, but the line is fact-specific.

What is the difference between single opt-in and double opt-in for SMS?

Single opt-in is a one-step process: the person submits their number and is added to your list. Double opt-in adds a confirmation step: you send a text asking them to reply YES before the subscription activates. Double opt-in produces two records of consent instead of one and filters out mistyped numbers. It shrinks your list size slightly but sharply reduces your TCPA exposure.

Can I use an opt-in I collected through email to send SMS messages?

No. Email consent covers email. SMS consent must be collected separately, specifically for text messaging, and must disclose the SMS program, message frequency, and opt-out instructions. A single form that collects both email and phone number can cover both channels only if the SMS disclosure is present and clear, and if the person gave their phone number knowing they were agreeing to texts.

Add an unchecked checkbox near the phone number field. The checkbox label or an adjacent disclosure must state the company name, message type, estimated frequency, that consent is not required to purchase, and how to opt out. Store the IP address, timestamp, and form content. Do not use pre-checked boxes. See the SMS opt-in form guide for full disclosure templates.

What TCPA penalties apply if I send texts without proper opt-in?

The TCPA provides statutory damages of $500 per violation for negligent violations and $1,500 per violation for willful violations under 47 U.S.C. § 227(b)(3). Each text to each number without valid consent is a separate violation. There is no cap. Class actions aggregate individual violations, and settlements in TCPA text message cases have reached tens of millions of dollars for companies with large non-consented lists.

Does SMS opt-in expire after a certain period of time?

The TCPA does not set a specific expiration date, but very old consent records carry practical risk. Courts have considered whether stale consent still reflects the consumer's current intent. The stronger risks are that the phone number may have been reassigned to a new subscriber, or that your program has changed enough that the original consent no longer covers what you are sending. Scrub reassigned numbers and recollect consent for dormant lists over 18 to 24 months old.

What is a CTIA-compliant SMS opt-in and why does it matter?

The CTIA (Cellular Telecommunications Industry Association) publishes messaging guidelines that wireless carriers enforce as a condition of network access. A CTIA-compliant opt-in includes the program name, message type and frequency disclosure, STOP and HELP keyword instructions, and the message/data rates disclaimer. Non-compliant programs can be suspended by carriers independent of any FCC enforcement action, which means your messages simply stop delivering.

Can I buy a phone list and start texting without separate opt-in?

No. Purchased lists almost never come with TCPA-compliant consent that covers your company specifically. Under the FCC's 2024 rules, consent must name the specific seller sending messages. Even if the list vendor claims the contacts opted in, that consent was almost certainly given to a different entity. Texting purchased lists without re-obtaining consent is one of the highest-risk activities in outbound marketing today.

What happens when a consumer opts out of my SMS program?

You must stop sending messages to that number for your program. Industry standard and carrier requirements treat STOP, QUIT, CANCEL, END, and UNSUBSCRIBE as universal opt-out commands. You must honor them before your next send. Continuing to text after an opt-out is a separate TCPA violation. You can re-engage that person through other channels with separate valid consent, but you cannot text them again until they voluntarily re-subscribe.

Do the SMS opt-in rules differ by state?

Yes. The TCPA sets a federal floor, but states like Florida (FTSA), Washington, Oklahoma, and others have enacted their own telemarketing and texting laws that may be stricter. Florida's FTSA, for example, has its own private right of action and applies to any calls or texts made to Florida residents, with some differences in what qualifies as an ATDS. Always check the laws in the states where your contacts are located.

Is a pre-checked checkbox on a web form a valid SMS opt-in?

No. The FCC's rules require an affirmative action by the consumer. A pre-checked box that the person passively allows to stay checked is not an affirmative act. Multiple courts and the FCC itself have treated pre-checked consent as invalid. Use an unchecked box that the person must actively select, with a clear disclosure of what they are agreeing to receive.

How does SMS opt-in work for a marketing text message service?

A marketing text message service sends bulk SMS to a subscriber list. For that list to be legally usable, every number on it needs prior express written consent specific to your company and your message type. The platform itself does not make the consent valid; you collect the consent through your own opt-in flows before adding numbers to the platform. See marketing text message service for how compliant list-building works in practice.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed or prerecorded texts to cell phones without prior express consent; statutory damages are $500-$1,500 per violation
  2. FCC, 47 C.F.R. § 64.1200, Delivery restrictions: Prior express written consent requires signature, authorization of autodialed texts to a specific number, disclosure that consent is not a condition of purchase, and description of message type
  3. FCC, Report and Order FCC 23-107 (2024 one-to-one consent rule closing the lead generator loophole): 2024 FCC order requires one-to-one consent; consent obtained through lead generation websites must be specific to the named seller and logically related to the website topic
  4. FCC, Reassigned Numbers Database: FCC operates a database of reassigned phone numbers; texting a reassigned number is a TCPA violation even if the original holder gave valid consent
  5. FTC Bureau of Consumer Protection, Cases and Proceedings: Multiple companies including Papa John's and Domino's have settled TCPA class actions involving text message consent violations for amounts in the millions of dollars
  6. U.S. Code, 28 U.S.C. § 1658, Limitations on actions: Federal statute of limitations for TCPA claims is four years from the date of the violation
  7. FCC, 2012 Report and Order FCC 12-21, TCPA telemarketing consent rules: FCC's 2012 order tightened the consent standard for telemarketing texts to require prior express written consent rather than just prior express consent
  8. Federal Trade Commission, consumer guidance on unwanted calls and texts: Federal consumer guidance confirms that text messages are covered by the TCPA and that consumers can sue for violations

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit