Last updated 2026-07-10

TL;DR
Federal law (47 U.S.C. § 227) bars marketing texts without prior express written consent. FCC rules tried in 2024 to require one-to-one consent, so a single web form could not create consent for multiple sellers. A federal appeals court vacated that rule in early 2025. Violations still cost $500 to $1,500 per text. This guide covers consent language, recordkeeping, opt-out handling, and state add-ons.
What are SMS opt-in regulations and which laws govern them?
SMS opt-in regulations are the rules that tell you exactly what a consumer must agree to before you can send a marketing text. The main federal law is the Telephone Consumer Protection Act, 47 U.S.C. § 227, passed in 1991 and run by the Federal Communications Commission. The FCC has stacked implementing rules on top of the statute, most recently a 2024 Report and Order that tried to change how consent gets collected for lead generation. [1]
The FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) adds a second layer, especially for texts tied to a sale. State laws, covered later, stack on top of that. Text consumers in California, Florida, or a handful of other states and their statutes may be stricter than the federal floor.
No consent, no text. That rule has never changed. What shifted is how specific the consent must be and who it can cover. The 2024 FCC order tried to close what the agency called the lead generator loophole, a practice where one checkbox on a web form claimed to generate consent for dozens of unrelated companies. [2]
For how these rules fit the full TCPA framework, see our guide on tcpa sms compliance.
What exactly does "prior express written consent" mean for texting?
The TCPA splits consent into two tiers. Purely informational texts (appointment reminders, delivery updates, one-time passcodes) need only "prior express consent." Marketing or advertising texts need "prior express written consent," which is a higher bar. [1]
The FCC's regulations at 47 C.F.R. § 64.1200(f)(9) define prior express written consent as an agreement that:
1. Is in writing (which includes electronic records and web form submissions under the E-SIGN Act). 2. Bears the consumer's signature or electronic equivalent. 3. Clearly authorizes the specific seller to send autodialed or prerecorded calls or texts. 4. Discloses that consent is not a condition of purchase. 5. States that standard message and data rates may apply.
The statute says consent cannot be "required as a condition of purchasing any property, goods, or services." [1] That clause matters. If your checkout says "enter your phone number to complete your order" and there is no separate opt-in checkbox, you almost certainly do not have valid marketing consent.
Electronic consent is fine. A checked checkbox on a web form, a reply to a double opt-in text, or a signed paper form all work. Pre-checked boxes do not. Neither do disclosures buried in a privacy policy or consent hidden inside 800-word terms of service. Courts have rejected all three. [3]
For a form that holds up, our sms opt-in form resource has sample disclosure language.
What did the FCC's 2024 order change about SMS opt-in rules?
The FCC's December 2023 Report and Order (FCC 23-107) was the biggest attempted change to SMS consent rules in more than a decade. The core of it: consent had to be one-to-one. Then a court struck it down. Here is what happened and what still binds you. [2]
Under the rule, a consumer's consent on a comparison-shopping site, a mortgage lead form, or any other third-party lead page would apply only to the specific company named on that form, not to a list of partners, affiliates, or co-registrants. The FCC was blunt that pages listing "up to 25 partners" would no longer produce valid TCPA consent.
The order also required consent that is "logically and topically associated" with the interaction. Fill out a form for a car insurance quote, and that consent covers car insurance offers. It would not cover mortgage offers, personal loans, or home security systems, even if those showed up in fine print.
Then the timeline broke. The FCC set a compliance date of January 27, 2025. Days before it took effect, the Eleventh Circuit vacated the one-to-one consent rule. So the standalone one-to-one requirement is not in force right now.
Here is what did not go away. The underlying consent standard still governs: prior express written consent naming the specific seller. Buy leads from a third-party source and text those consumers, and you still need affirmative proof your company was named and the consumer agreed to hear from you. Buying a list and texting it is not a gray area. It is a TCPA violation with a paper trail pointing back to you. Lead-gen consent stays the single riskiest area in SMS. Watch tcpa news today for further movement. [2]
The FCC also runs plain-language consumer guidance on robotexts and consent at fcc.gov. [4]
What are the required elements of an SMS opt-in disclosure?
A valid SMS marketing opt-in disclosure has to spell out specific things. Courts and the FCC have both thrown out consent that technically existed but never told the consumer what they signed up for.
Here is what your disclosure needs:
| Element | Why it's required | Example language |
|---|---|---|
| Your company name | Consent must name the specific seller | "Acme Insurance LLC" |
| Nature of messages | Consumer must know it's marketing | "marketing messages about our products" |
| Estimated frequency | CTIA best practice, increasingly cited by courts | "Up to 4 messages/month" |
| Message and data rates disclosure | FCC rule, 47 C.F.R. § 64.1200 | "Msg & data rates may apply" |
| Opt-out instructions | Required at enrollment and on request | "Reply STOP to cancel" |
| Help instructions | CTIA standard | "Reply HELP for help" |
| No purchase required statement | Explicit TCPA requirement | "Consent is not a condition of purchase" |
| Link to terms and privacy policy | CTIA and state law (especially CA) | Hyperlinks in web context |
The CTIA, the wireless industry trade group, publishes messaging principles that carriers use as the baseline for short code and 10-digit long code (10DLC) programs. [5] If your disclosure does not match those standards, carriers may filter your messages or shut down your sending.
One practical note: font size and placement matter. The FTC has gone after companies where the disclosure was present but set in 6-point gray text below the fold. Regulators and plaintiffs' lawyers look at the whole screen, not the words alone.
What are the TCPA penalties for violating SMS opt-in rules?
The TCPA gives consumers a private right of action. They can sue you directly, without waiting for the FCC or FTC. Statutory damages run $500 per violation for ordinary violations and $1,500 per violation for willful or knowing ones. [1]
One text sent without consent is one violation. A campaign of 10,000 texts to unconsented numbers could produce $5 million to $15 million in statutory damages. Plaintiffs do not have to show actual harm. The violation is the harm.
Class actions are the real threat. Because damages need no proof of individual injury, plaintiffs' attorneys certify SMS classes routinely. For a mid-size business that ran an unconsented campaign for a few months, settlements often land in the hundreds of thousands of dollars, even when the harm to any one consumer was tiny.
A few real outcomes:
- Papa John's settled a TCPA SMS class action for $16.5 million in 2013. [6]
- Domino's settled a similar case for $10 million.
- Keller Williams reached a $40 million settlement in a TCPA case involving real estate texts. [6]
The FCC levies its own fines too. Across 2023 and 2024 the agency pushed hard on robotexts, proposing forfeiture orders in the millions against illegal text campaigns. [4]
For how these suits actually unfold, the tcpa overview covers the litigation mechanics.
How does the opt-out process work for SMS, and what are the rules?
Opt-out is not optional. The TCPA and FCC rules require every marketing text program to honor opt-out requests promptly. The industry standard, enforced by carriers through CTIA guidelines, is that you stop sending within 24 hours of an opt-out. Most compliant platforms process it right away. [5]
The required keywords are STOP, QUIT, CANCEL, UNSUBSCRIBE, and END. Your system has to recognize all of them. If a consumer texts "stop texting me" in plain English, good practice (and increasingly courts) treats that as an opt-out too, even though it is not a magic word.
After an opt-out, you must:
1. Send one final confirmation text acknowledging the opt-out (the only text you can send to an opted-out number). 2. Stop all further marketing texts to that number. 3. Honor the opt-out even if the consumer later opts in through a different channel, unless you can document clear new consent.
You cannot charge for opt-out processing. You cannot force the consumer to call a number to opt out. You cannot make opt-out conditional on any action. The FCC has been explicit on all three.
Keep your opt-out records. Someone opts out, and six months later a new list drops their number back into your send. You text them. Now you are liable. The suppression list has to be checked against every send. That is an operational discipline more than a legal one.
For how the sms double opt-in process protects you on both consent and opt-out verification, that resource covers the mechanics.
Are there different rules for B2B texts versus consumer texts?
Teams ask this constantly. The honest answer is mostly no, with a narrow exception.
The TCPA applies to calls and texts to any "telephone number assigned to a... cellular telephone service." It does not care whether the number is a personal cell or a cell listed on a business card. Text a mobile number without consent and the TCPA applies. [1]
The narrow exception: some courts and FCC guidance suggest texts to business landlines (which cannot receive SMS anyway) fall outside the TCPA's SMS provisions. In practice almost all business contacts in 2025 get texts on mobile numbers, so this rarely helps.
Where B2B differs in practice:
- FTC Telemarketing Sales Rule exemptions: B2B telemarketing has some carve-outs from TSR do-not-call rules, but the TCPA wireless number rules are separate.
- Implied consent arguments: some courts have found a business publishing its mobile number in a commercial context creates a narrow implied consent for business-relevant outreach. That is litigation territory, not a safe harbor.
- State mini-TCPA laws: California's CCPA/CPRA treats B2B contacts differently for data privacy, but California's privacy statutes still reach unauthorized texts.
Run B2B outreach on mobile numbers, and you should collect consent the same way you would for consumer campaigns. Relying on implied B2B consent is not worth the exposure. For b2b lead generation platforms gdpr compliance, that guide covers international consent frameworks alongside the US rules.
What state-level SMS opt-in regulations do you need to know about?
States have been filling gaps that federal law leaves open, and the pace picked up after 2020.
California is the most aggressive. The California Consumer Privacy Act (CCPA) and its 2020 amendment, the CPRA, require businesses to disclose the categories of personal data they collect (phone numbers included) and to honor opt-out-of-sale requests. California's Invasion of Privacy Act (CIPA) reaches electronic communications too. CIPA class actions against SMS programs now run parallel to TCPA suits in California courts. [7]
Florida passed the Florida Telephone Solicitation Act (FTSA) in 2021, a state analog to the TCPA with its own private right of action. The original law covered any automated system that could send texts in sequence or randomly, broader than the federal ATDS standard. Florida narrowed it in 2023 after a wave of litigation, but it still requires consent for telephonic sales calls and texts, and the private right of action stands. [8]
Oklahoma, Washington, and other states have passed or are weighing mini-TCPA statutes. Washington's Commercial Electronic Mail Act (CEMA) reaches some text marketing. Texas has Business and Commerce Code Chapter 305 on unsolicited commercial messages.
The safe posture: build your consent and opt-out infrastructure to California and Florida standards. Clear those and you clear almost everywhere else.
| State | Primary law | Private right of action? | Key addition vs. TCPA |
|---|---|---|---|
| California | CCPA/CPRA, CIPA | Yes | Data privacy + CIPA text coverage |
| Florida | FTSA (2021, amended 2023) | Yes | Broader ATDS definition (pre-2023) |
| Washington | CEMA | Yes | Covers commercial electronic messages |
| Texas | Bus. & Com. Code Ch. 305 | Limited | Unsolicited commercial messages |
| Oklahoma | Oklahoma Telephone Solicitation Act | Yes | Mirrors TCPA structure |
How do you document and store SMS opt-in consent records?
Consent is worthless if you cannot prove it in court. Plaintiffs routinely deny they ever opted in, and with no records, you lose. The FCC does not set a retention period, but the TCPA's four-year statute of limitations (28 U.S.C. § 1658, the catchall federal period) is the practical floor. Store records at least four years from the date of consent.
Capture this for each consent record:
- Full name and phone number (in E.164 format if possible)
- IP address of the device that submitted the form
- Timestamp of consent (date, time, timezone)
- URL of the page where consent was given
- Exact disclosure language shown at the time (store a version-controlled snapshot, not a live page link)
- Session ID or transaction ID tying the consent to a server log
- For keyword opt-ins: the inbound message content and timestamp
IP address plus timestamp plus page URL is the combination your attorney needs to defend a TCPA suit. Carriers and courts have accepted it as evidence of consent in contested cases.
Store this outside your main CRM if you can, in a write-once or append-only format. Plaintiffs' attorneys have argued that consent records looking too clean, or edited after the fact, are fabricated. An audit log showing the record was written once and never touched is far more credible.
Evaluating tools? LeadCompliant's free TCPA compliance kit includes a consent record template and a checklist for what each record needs, useful as a baseline even if you build your own.
The sms opt-in resource has more on collecting consent across channels (web form, keyword, point of sale, paper).
What are the rules for short codes, 10DLC, and toll-free numbers?
The sending infrastructure you pick shapes both compliance and deliverability. Three main paths exist for business SMS in the US.
Shared short codes (five or six digit numbers shared by multiple businesses) are effectively dead for marketing. The major carriers eliminated them in 2021 after years of abuse. Still using one? You are out of compliance with carrier rules, separate from any TCPA question. [5]
Dedicated short codes give one company exclusive use of a five or six digit number. They require registration and carrier approval of the messaging program, including the opt-in flow. The application takes four to eight weeks and costs roughly $500 to $1,000 per month plus setup. The payoff is high throughput and strong deliverability.
10DLC (10-digit long codes) is the standard for most small and mid-size businesses. Since 2021, carriers require registration of the brand (the company) and the campaign (the specific messaging program and use case) through The Campaign Registry (TCR). [9] Registration is not optional. Unregistered 10DLC traffic gets filtered hard. The consent attestations attached to 10DLC registration mirror TCPA requirements: you describe your opt-in method and confirm you have consent before texting.
Toll-free numbers can also send SMS, and they require toll-free verification through the carriers. Verification asks for the same consent and use-case details as 10DLC.
None of this registration replaces TCPA compliance. It is a separate layer. You can be fully registered with TCR and still violate the TCPA if your underlying consent collection is broken.
For teams building out a full marketing text message service, infrastructure choices drive both legal risk and deliverability.
What special SMS opt-in rules apply to specific industries?
A few industries carry extra requirements on top of the baseline TCPA rules.
Healthcare and HIPAA: texts containing protected health information (PHI) have to comply with HIPAA's Privacy and Security Rules. Consent for healthcare marketing texts has to address both TCPA and HIPAA. The HHS Office for Civil Rights publishes guidance on electronic communications with patients. [10]
Financial services: banks and lenders texting consumers also have to satisfy Regulation P (privacy notices) and, for credit-related messages, FCRA notice requirements. The CFPB watches deceptive marketing communications broadly.
Real estate: agents carry heavy TCPA exposure because they often text consumers who dropped their numbers on third-party portal sites. The FCC's push to tighten consent for lead generation hit real estate hard, since lead aggregators were a common source of assumed consent. See our real estate text message marketing guide.
Restaurants and retail: higher-frequency, lower-ticket programs (coupons, specials, loyalty points) usually run on keyword opt-in. The consent mechanics are simpler, but frequency disclosures and opt-out handling still apply. sample text message marketing for restaurants covers compliant campaign structures.
Debt collection: the CFPB's Regulation F (effective 2021) governs debt collector communications, texts included. Collectors have to give a clear opt-out mechanism in electronic messages and face frequency limits. [11]
Political messaging: political texts to wireless numbers are fully subject to TCPA consent rules. The FCC has said repeatedly that political organizations get no exemption.
How do you build a compliant SMS opt-in process step by step?
Here is the process in order, with no shortcuts that create liability.
Step 1: Define the program before you collect consent. What will you send, how often, and from what number? Your disclosure has to match your actual program. Say "up to 4 messages per month" and send daily, and you have a misrepresentation problem.
Step 2: Build the disclosure. Use the elements in the table above. Put it next to the consent mechanism (the checkbox or keyword prompt), not in a link you hope people click.
Step 3: Choose the consent mechanism. A web form with a standalone checkbox (not pre-checked) works for most programs. Keyword opt-in (text JOIN to 12345) works well for retail and in-store. Double opt-in (a confirmation text asking the consumer to reply YES) adds protection and produces a self-documenting record. [12]
Step 4: Connect consent records to your suppression list. Every record should be queryable by phone number. Every send should check the suppression list for opt-outs first.
Step 5: Send a welcome message right after opt-in. It should restate the program name, frequency, opt-out instructions, and help instructions. This message is not optional under CTIA guidelines and many carrier program requirements. [5]
Step 6: Implement opt-out keyword recognition for STOP, QUIT, CANCEL, UNSUBSCRIBE, and END. Send the confirmation. Stop all sends.
Step 7: Audit your data sources. Using purchased lists, partner leads, or any third-party source? Document the consent provenance for each record before you text. The current consent standard for lead generation makes this a hard requirement, not a nice-to-have.
For teams using text message marketing software, confirm the platform does consent timestamp logging, suppression list management, and STOP keyword handling natively. Not all do.
Frequently asked questions
Do I need consent to send a text message to someone who gave me their number in person?
Yes, for marketing texts. A consumer handing you a business card or typing their number at a point-of-sale terminal does not create TCPA written consent for marketing on its own. You need a clear disclosure and affirmative agreement when the number is collected. Verbal permission is not enough under the prior express written consent standard. Capture consent in writing, even if it is a paper sign-up sheet with explicit disclosure language.
What is the difference between single opt-in and double opt-in for SMS?
Single opt-in means the consumer submits their number (via form or keyword) and starts receiving messages. Double opt-in adds a confirmation: you send a text asking the consumer to reply YES before the program begins. Double opt-in is not federally required, but it creates a self-documenting consent record, weeds out bad numbers, and is much harder for plaintiffs to challenge. Most compliance professionals recommend it for any high-volume program.
Can I text someone who filled out a form on a third-party lead generation site?
Only if your company was specifically named on that form and the consumer agreed to receive texts from your business. A form that says "consent to be contacted by partners" or lists many company names does not produce valid TCPA consent for any of them. You need proof of consent tied to your named company. Buying leads without verifying consent provenance is a clear TCPA risk. [2]
How long do I have to stop texting after someone opts out?
Immediately, or within 24 hours at the outside. CTIA guidelines and carrier requirements say opt-out requests must be honored within 24 hours, and most compliant platforms process them in real time. You may send one final confirmation text acknowledging the opt-out. After that, any marketing text to that number is a TCPA violation. The opt-out stands even if the number later appears on a purchased list.
Is a pre-checked checkbox on a website valid SMS consent?
No. Pre-checked boxes fail the TCPA's prior express written consent standard because the consumer never affirmatively agreed to anything. Courts and the FTC have both rejected pre-checked consent as legally insufficient. The box has to be unchecked by default, and the consumer has to take an action (checking it) to signal agreement. The disclosure has to sit next to the checkbox, not inside a linked terms document.
What does "STOP, HELP, CANCEL" compliance mean for SMS programs?
Your platform and your program have to recognize the opt-out keywords STOP, QUIT, CANCEL, UNSUBSCRIBE, and END, plus the help keyword HELP. These are required by CTIA guidelines and enforced by carriers at the platform level. When a consumer sends any opt-out keyword, your system sends a confirmation and ceases all further marketing texts. Failing to honor STOP is both a carrier violation (risking program suspension) and a TCPA violation.
Are texts to business mobile numbers covered by TCPA opt-in rules?
Yes. The TCPA applies to texts to mobile numbers whether the number belongs to a consumer or a business employee. The statute covers calls to any cellular telephone service, with no B2B exception for wireless numbers. Some courts recognize narrow implied consent arguments in B2B contexts, but relying on that is risky. Collect written consent for B2B mobile outreach the same way you would for consumer campaigns.
What records do I need to prove SMS consent if I'm sued?
At minimum: the consumer's phone number, the exact disclosure language shown when they consented, the IP address of the consenting device, a timestamp with timezone, and the URL of the page where consent was collected. For keyword opt-ins, the inbound message text and timestamp. Store records at least four years (the TCPA statute of limitations) and keep them non-editable after creation, since tampered records hurt your credibility in court.
Do nonprofit and political organizations have to follow SMS opt-in rules?
Yes for political organizations. The FCC has repeatedly confirmed that campaigns and PACs must comply with TCPA consent requirements for texts to wireless numbers. Nonprofits soliciting donations are also generally subject to TCPA rules for texts. Some narrow TCPA exemptions exist for established business relationships in calling contexts, but those do not reliably extend to autodialed or mass SMS marketing to mobile numbers.
What is a 10DLC campaign registration and does it replace consent requirements?
10DLC registration is a carrier requirement to register your business (brand) and your specific messaging program (campaign) through The Campaign Registry before sending commercial SMS on 10-digit long-code numbers. It has been mandatory since 2021 and affects deliverability. It does not replace TCPA consent. You still have to collect and document prior express written consent for marketing texts. Registration and legal compliance are two separate obligations. [9]
How often do FCC SMS opt-in rules change, and how do I stay current?
FCC rulemaking on SMS consent has sped up. The 2024 one-to-one consent rule was the biggest change in over a decade, though the Eleventh Circuit vacated it in early 2025, so the landscape shifts fast. The FCC publishes proposed rulemakings and final orders at fcc.gov. Monitoring FCC docket 02-278 (the TCPA proceeding) and CTIA messaging guideline updates are the two most reliable ways to catch changes early.
Can I send transactional texts without consent under TCPA?
Transactional or informational texts (appointment reminders, order confirmations, shipping notifications, two-factor codes) require prior express consent, a lower bar than prior express written consent. You still need some form of consent, but not a formal signed agreement. Best practice is to capture consent at the point of data collection and make sure your program does not drift into marketing content, which would trigger the higher written-consent standard.
What is the FCC's definition of an automatic telephone dialing system (ATDS) for SMS?
After the Supreme Court's 2021 Facebook v. Duguid decision, an ATDS is a system that uses a random or sequential number generator to store or dial numbers. A system that texts from a pre-populated list without random or sequential generation may not be an ATDS under federal law. But several states (Florida pre-2023, Washington) use broader definitions. And even non-ATDS marketing texts can violate the TCPA if they use prerecorded messages to wireless numbers without consent. [3]
How does the FTC's Telemarketing Sales Rule interact with TCPA for text messages?
The FTC's Telemarketing Sales Rule (16 C.F.R. Part 310) applies to outbound telemarketing calls and, by interpretation, texts that are part of a telemarketing campaign involving a sale. The TSR has its own consent and disclosure requirements and gives the FTC authority to bring enforcement actions independently of the FCC. If your SMS program promotes a product or service for sale, map your practices against both TCPA and TSR, since different agencies enforce them.
Sources
- U.S. Government, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA requires prior express written consent for marketing texts; prohibits consent as condition of purchase; provides $500-$1,500 per violation statutory damages
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS narrowed to systems using random or sequential number generator; pre-populated list dialers may not qualify
- California DOJ, California Consumer Privacy Act (CCPA) official resource page: CCPA/CPRA requires disclosure of personal data collection including phone numbers and honoring opt-out of sale
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA (2021, amended 2023) creates state TCPA analog with private right of action for unauthorized solicitation texts
- The Campaign Registry (TCR), 10DLC Registration Requirements: Carriers require brand and campaign registration via TCR for 10DLC commercial SMS since 2021; unregistered traffic is filtered
- HHS Office for Civil Rights, HIPAA for Professionals (Privacy Rule): HIPAA Privacy and Security Rules apply to text messages containing protected health information
- CFPB, Debt Collection Rule (Regulation F), 12 C.F.R. Part 1006: CFPB Regulation F (effective 2021) governs debt collector text communications including opt-out requirements
- FCC, 47 C.F.R. § 64.1200, Subpart L (TCPA implementing regulations): FCC regulations at 47 C.F.R. § 64.1200(f)(9) define prior express written consent elements including signature, disclosure, and no-purchase-required clause