SMS opt-in rules: what your business must do in 2025

TCPA requires prior express written consent before marketing texts. Learn the exact opt-in rules, required disclosures, and how to avoid $500, $1,500 per-message fines.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Hands holding a smartphone with a blank SMS inbox at a wooden desk in morning light
Hands holding a smartphone with a blank SMS inbox at a wooden desk in morning light

TL;DR

Federal law (47 U.S.C. § 227) requires prior express written consent before sending marketing SMS. That consent has to be in writing, clearly describe what the subscriber is signing up for, include required disclosures, and be given before the first message. One violation can cost $500 to $1,500 per text sent. Here is exactly what your opt-in process needs to contain.

What does SMS opt-in mean legally?

SMS opt-in is the documented consent a person gives before your business sends them marketing text messages. The word "opt-in" sounds casual. The legal standard behind it is not.

The Telephone Consumer Protection Act (47 U.S.C. § 227) prohibits using an automatic telephone dialing system (ATDS) or prerecorded message to send texts to a person's cell phone without prior express written consent [1]. The FCC has consistently read text messages as "calls" under the statute, so every marketing SMS your platform sends triggers that requirement.

The phrase that matters is "prior express written consent." Prior means you hold the consent before the first message goes out, not after. Express means the person took an affirmative step, not that you inferred agreement from a purchase or a web visit. Written means it's documented in a form you can prove in court, whether that's a paper form, a checked digital box, or an SMS keyword reply. All three elements have to exist at the same moment for the consent to hold.

For purely informational or transactional messages, the standard drops to "prior express consent" without the written requirement. Very few business texting programs qualify for that carve-out once any promotional element appears [2]. If your message contains a discount, a product mention, or a call to action, treat it as marketing and require written consent.

For a broader look at how the statute works, see our guide to tcpa sms compliance.

What are the specific opt-in disclosures required by the FCC?

The FCC's 2012 TCPA rulemaking (FCC 12-21) and later orders set out what a written consent disclosure must contain [2]. The disclosure has to appear at the point of consent, right next to the checkbox or keyword prompt, not buried in a privacy policy linked three pages away.

Required elements:

ElementWhat it means in practice
Business identityName the company that will send the texts
Message typeDescribe what kind of messages (promotions, reminders, alerts)
Estimated frequency"Approximately 4 messages per month" or "recurring messages"
"Message and data rates may apply"Verbatim or functionally equivalent language
Opt-out instructionsHow to stop messages (e.g., reply STOP)
Help instructionsHow to get help (e.g., reply HELP or a phone number)
Not a condition of purchaseConsent cannot be required to buy goods or services [2]

That last point trips up a lot of businesses. You cannot gate a purchase, a service, or a discount behind SMS consent. The checkbox has to be unchecked by default, and the customer has to be able to finish the transaction without checking it.

The Cellular Telecommunications Industry Association (CTIA) messaging guidelines add a layer on top of the FCC rules, and most major carriers enforce them [3]. CTIA guidance asks that the opt-in confirmation message restate the program name, opt-out instructions, and the help contact. Carriers can suspend shortcodes or 10DLC campaigns that break these standards, no lawsuit required.

One line worth quoting from the E-SIGN Act: an electronic record satisfies a signature requirement, so a typed name, a checked box with an IP-timestamped log, or a keyword reply from the person's own phone all count as a written signature under 15 U.S.C. § 7001 [1][4].

Consent is only as good as what you can prove. Courts have held that the burden of demonstrating consent falls on the sender, not the recipient [5]. If someone claims they never opted in, you need a record that shows when, where, how, and what disclosure they saw.

A minimal valid record contains the person's name and cell number, the timestamp and date, the IP address or device identifier (for web forms), the exact disclosure text they were shown, and the affirmative action they took (box checked, keyword sent, signature given). If you use a keyword opt-in over SMS, save the inbound message with its timestamp alongside the outbound confirmation.

Store these records for at least four years. The TCPA has a four-year federal statute of limitations under 28 U.S.C. § 1658 for claims brought in federal court, and some plaintiffs have used state consumer protection statutes with longer windows [6].

For lead-generation flows where a third party collects the opt-in on your behalf, the 2024 FCC one-to-one consent rule (FCC 23-107) requires that the consent name your company specifically. A blanket "I agree to be contacted by marketing partners" disclosure no longer satisfies written consent for outbound SMS [7]. The lead vendor's form has to identify you by name. This one change reshapes how anyone buying leads has to operate.

For help building a form that captures all of this correctly, our sms opt-in form guide has templates you can adapt.

TCPA SMS violation: key numbers Federal statutory figures every sender should know 500 $500 per message (negligent violation) 1,500 $1,500 per message (willful violation) 4 4-year federal statute of limitations 2,025 January 2025: one-to-one co… rule effective Source: 47 U.S.C. § 227 and FCC 23-107

What is the difference between single opt-in and double opt-in for SMS?

Single opt-in means you collect consent once, send a confirmation message, and start the program. Double opt-in adds a second step: the confirmation message asks the subscriber to reply YES (or a keyword) before they enter the active list.

Double opt-in is not required by federal law, but it has two practical advantages. It proves the person actually controls the phone number, which matters if someone enters a wrong number or signs up a third party. It also gives you a stronger consent record: you have their inbound keyword reply plus your confirmation, both timestamped. In litigation, that chain is harder to attack.

The CTIA messaging guidelines recommend double opt-in for marketing programs, and several carriers treat it as best practice for 10DLC campaigns [3]. Single opt-in is faster and builds bigger lists. Your list quality tends to be lower, and your legal exposure per message is marginally higher if a non-consenting number lands on the list.

For most businesses running recurring promotional SMS, double opt-in is worth the small dip in conversions. For transactional or triggered messages where the subscriber just made a purchase or filled out a form, single opt-in with a solid confirmation message is usually fine. Our dedicated guide to sms double opt-in walks through the exact flow.

Nobody has good published data on the conversion difference between single and double opt-in for SMS specifically. The closest figures come from email studies, where double opt-in lists show roughly 30% lower signup volume but higher engagement and lower unsubscribe rates. SMS behavior likely tracks similarly, but the SMS-specific research is thin.

The FCC's December 2023 order (FCC 23-107) changed the consent rules for lead generation in two ways [7].

Consent for robocalls and robotexts now has to be given to one seller at a time. A lead generation form that says "I agree to be contacted by our partners" and then sends your number to fifty companies no longer counts as valid prior express written consent for any of them. Each company that wants to text you has to be named in the consent disclosure.

The contact also has to be "logically and topically related" to the website where consent was given. A mortgage inquiry consent disclosure cannot be recycled to cover a solar panel company's text campaign, even if both names appear in a long dropdown list.

For businesses that buy leads, this is the most practically significant TCPA change in a decade. If your lead vendor isn't compliant, every text you send on that list is potentially unconsented. The FCC's own materials on the order frame the target as the "lead generator loophole" and describe the goal as protecting consumers from the flood of robocalls that loophole enabled [7]. Audit your lead sources now, and ask vendors directly how they capture consent under the new rule.

For ongoing developments on this rule and related litigation, the lead generation compliance news and tcpa news today pages track current changes.

What are the penalties for violating SMS opt-in rules?

The TCPA sets statutory damages at $500 per violation for negligent violations. If a court finds the violation was willful or knowing, damages rise to $1,500 per violation [1]. Each text message to each phone number counts as a separate violation.

The math gets ugly fast. A company that sends one marketing text to a list of 10,000 unconsented numbers faces $5 million in negligent-violation damages and up to $15 million if the court finds willfulness. The FCC and state attorneys general can bring their own enforcement actions on top of private suits.

The TCPA is a plaintiff's attorney's favorite statute partly because there's no requirement to prove actual damages. The $500 floor is automatic once the violation is shown. Class actions are common because each class member's damages are identical and easy to calculate.

Real case outcomes give a sense of scale. In 2017, Dish Network agreed to pay $280 million in a federal Do Not Call and TCPA enforcement action brought by the DOJ and FTC, one of the largest telemarketing judgments on record [8]. In 2021, Facebook settled a TCPA class action for $650 million. Small businesses have seen six-figure settlements for campaigns involving only a few thousand contacts.

For a full picture of how enforcement plays out, see our tcpa overview and our guide on tcpa sms compliance.

Do opt-in rules differ for B2B versus B2C texting?

The TCPA applies whenever you text a cellular number, no matter whether the recipient is a consumer or a business person. A sales rep's cell phone is a cell phone. The statute doesn't care that you're selling enterprise software.

B2B texting does carry a marginally different practical risk. Class action plaintiffs are almost always consumers. A business recipient who texts back and forth with your rep for six months and then claims no consent exists has a credibility problem in court. Consent is often implied from the ongoing business relationship, though "implied" is not the same as "documented."

The safer path for B2B looks like the path for B2C: get written consent, keep a record, and honor opt-out requests immediately. You may have more practical leeway in how you collect it. A reply to an email that says "reply YES if you'd like me to text you updates" can serve as documented consent.

If you're comparing compliant platforms for B2B outbound, our guide to b2b lead generation platforms gdpr compliance covers how GDPR and TCPA obligations interact for international B2B teams.

What are the opt-in rules for specific industries like real estate?

Industry doesn't change the underlying federal standard, but it does change how consent tends to flow in practice.

Real estate is worth singling out. Agents routinely text leads from Zillow, Realtor.com, or their own IDX websites without thinking through who gave consent and for what. A Zillow lead who asked to see a listing gave Zillow consent to share their info, not your brokerage consent to text them marketing. If you're dropping that lead into a drip campaign, you need one of two things: Zillow's form disclosure has to name you specifically (rarely how those forms work), or you get a separate consent from the lead before starting the campaign.

Restaurant and retail SMS programs are usually cleaner because the consumer starts it by texting a keyword to a shortcode promoted on signage or a receipt. That keyword reply is the consent, and the confirmation message documents it. The risk there sits in the disclosure on the signage, not in the consent collection itself.

For industry-specific guidance, see our pages on real estate text message marketing and sample text message marketing for restaurants.

The FCC requires that opt-out requests be honored right away and that your system not force any specific format for revocation [2]. If a subscriber texts STOP, QUIT, CANCEL, END, UNSUBSCRIBE, or any reasonable variant, you have to stop. Texting them again after a STOP reply is a willful TCPA violation, which means $1,500 per subsequent message, not $500.

You're allowed to send one final confirmation message after a STOP request. That message can say something like "You've been unsubscribed. Reply START to rejoin." It cannot carry any marketing content. After that single confirmation, the number goes on your do-not-contact list.

Can you re-obtain consent? Yes, but only through a channel that isn't SMS. Email the person, show them an ad with a new opt-in form, or have a sales rep ask during a voice call. You cannot text them an opt-in request, because they already withdrew SMS consent. Some compliance teams also suppress re-opt-in attempts for 30 to 60 days after an opt-out as a buffer, which is a reasonable practice even though the law doesn't require it.

LeadCompliant's free TCPA tools include a consent timestamp checker that verifies whether a given number has an active, documented opt-in before your campaign fires. Worth checking before any large send.

For a step-by-step view of the whole opt-in lifecycle, the sms opt in guide covers consent collection through revocation.

Managing consent by hand stops being viable around 500 contacts. Past that point you need a system that captures consent records automatically, suppresses opted-out numbers in real time, and can export a consent audit trail on demand.

The minimum technical requirements for compliant SMS at scale:

1. A consent database that logs phone number, consent timestamp, IP address, and the disclosure text version the subscriber saw. 2. Real-time suppression: opted-out numbers must be blocked before the message queue fires, not after. 3. Version control on disclosure text. If you update your disclosure language, old opt-ins are tied to the old version. You need to produce the exact text a subscriber saw. 4. Carrier-registered campaigns. 10DLC (10-digit long code) registration requires business identity verification and campaign description approval through The Campaign Registry (TCR) [10]. Shortcodes require carrier approval directly. 5. Frequency caps and quiet hours. The TCPA's quiet hours for calls (8 a.m. to 9 p.m. local time) are generally applied to texts as well, though the FCC has not issued explicit SMS-specific time rules. Most compliance guidance treats the same window as the standard.

For platform options, our marketing text message service and text message marketing software guides compare the tools that handle most of this automatically.

If you want to build a compliance kit around your current setup rather than switching platforms, the LeadCompliant compliance kit has a pre-built consent record template, a disclosure language checklist, and a carrier registration guide that covers 10DLC in plain English.

What state laws add requirements on top of federal SMS opt-in rules?

Federal TCPA sets the floor, not the ceiling. Several states have their own statutes that run stricter or add categories of protection.

California's Invasion of Privacy Act (CIPA, Penal Code § 637.2) is the most aggressive. California plaintiffs have paired CIPA with TCPA claims to seek $5,000 per violation (the CIPA statutory floor), which can exceed TCPA damages in some cases [11]. Florida's Telephone Solicitation Act (FTSA) created a private right of action in 2021 for text messages that use "an automated system for the selection or dialing of telephone numbers," a broader definition than TCPA's ATDS standard [12]. Florida litigation spiked after FTSA passed.

Oklahoma, Washington, and several other states run their own telemarketing statutes that touch SMS. The patchwork means a nationally distributed campaign has to meet the most restrictive state standard that applies to anyone on your recipient list.

The FCC has argued TCPA preempts state laws that conflict with it, but courts haven't consistently agreed, especially where state law adds protections without conflicting with federal requirements. The safe move: comply with TCPA fully, then check whether any state-specific rules apply to your audience.

For real-time tracking of state-level changes, the lead generation compliance news page covers both federal and state developments.

What is the single most common SMS opt-in mistake and how do you fix it?

It's the pre-checked box. Or the disclosure buried below the submit button. Often both.

Courts and the FCC have both been clear: consent obtained through a pre-checked box is not valid, because the person didn't take an affirmative step [2]. Same problem with disclosures that show up after the submit button, below the fold, or in light gray 8-point font. The disclosure has to be clear and conspicuous, meaning it's presented to the consumer in a way that's noticeable, readable, and understandable.

The fix takes about two hours on most web form builders. Uncheck the box by default. Move the SMS disclosure directly above or beside the checkbox. Match the font size to the surrounding form text. Add a link to your full terms rather than cramming everything into the form. Then test it on mobile, because that's where most people will actually see it.

The second most common mistake is not saving the consent record. A clean form that meets every disclosure requirement is worthless if your CRM doesn't log what disclosure text the subscriber saw and when. Build that logging before you start sending.

Third: continuing to text after a STOP. Set up keyword suppression in your sending platform and test it with a real STOP reply before your campaign goes live. Don't assume the platform handles it right without verifying.

Frequently asked questions

Does buying a list of phone numbers count as having SMS opt-in consent?

No. Purchasing a list does not transfer TCPA consent. The original consent, if it exists at all, was given to whoever collected it, not to you. Under the FCC's 2024 one-to-one consent rule (FCC 23-107), consent must name your company specifically. If the list vendor cannot provide documented proof that your business name appeared in the consent disclosure each number signed, that list is not legally usable for marketing SMS.

Can I text someone who gave me their number on a business card?

Giving you a business card is not SMS consent. It signals willingness to communicate, but it doesn't meet the written, affirmative, disclosure-accompanied standard the TCPA requires for marketing texts. You can call or email to ask if they'd like to receive texts and use that reply as consent, or send a single opt-in invitation through another channel. Don't send marketing SMS based on a business card alone.

Purely transactional texts (order confirmations, shipping updates, appointment reminders) require only "prior express consent," not the full "prior express written consent" standard. The distinction matters: you don't need the checkbox-and-disclosure flow if the message is truly transactional. But the moment any promotional content appears in a transactional message, the whole message gets classified as marketing and the higher written-consent standard applies.

How quickly must I honor an opt-out request?

The FCC requires prompt compliance with opt-out requests. In practice, most compliant platforms process STOP replies within seconds. Sending even one more marketing message after a STOP is a willful violation, which carries $1,500 per message in statutory damages. You may send a single non-marketing message confirming the opt-out, and nothing else. Suppression should be automatic and real-time, not batched overnight.

What happens if someone opts in on one platform and I move to a different SMS provider?

Consent follows the subscriber, not the platform. If you hold valid documented consent records from your old platform, you can port them to your new provider and keep texting. What you cannot do is import a contact list without the consent records. If you can't export timestamped consent documentation from your old platform, treat those contacts as requiring fresh consent before messaging them again.

No. The TCPA requires "written" consent for marketing texts, and verbal consent does not qualify. Some businesses record calls and argue the recording is documentation, but regulators and courts have not accepted verbal consent as meeting the written standard. You need a web form, a paper form, a keyword reply, or another documented written mechanism. If someone verbally asks you to text them, follow up with an SMS opt-in confirmation flow before adding them to a marketing list.

What is 10DLC and why does it matter for SMS opt-in compliance?

10DLC (10-digit long code) is the carrier registration system for business SMS sent from standard phone numbers. Since 2021, carriers require businesses to register their brand and campaign through The Campaign Registry (TCR) before sending at volume [10]. Registration asks you to describe your opt-in method. Carriers can block or filter messages from unregistered campaigns. It's not a federal legal requirement, but operating without registration means your messages may not reach recipients, which makes your opt-in process irrelevant.

Only if your disclosure language covered all the message types at the time of consent. If someone opted in for "order alerts" and you start sending weekly promotions, you're outside the scope of what they consented to. The disclosure has to match what you actually send. If your program evolves, the safest fix is to send a new opt-in request for the expanded message types rather than relying on a narrowly worded original consent.

What should my SMS opt-in confirmation message say?

The confirmation message should restate the program name, confirm the subscription, give the estimated message frequency, include "Message and data rates may apply," provide opt-out instructions (STOP to cancel), and provide help instructions (HELP for info or a phone number). Keep it under 160 characters if possible to avoid multipart messages. Many carriers and the CTIA guidelines treat this confirmation as required for marketing programs [3].

Does the TCPA apply to texts sent from a regular cell phone manually?

The TCPA's strictest requirements apply to automatic telephone dialing systems (ATDS) and prerecorded messages. If a human is manually dialing or texting one number at a time from a non-automated phone, some of the ATDS-specific requirements don't apply. However, the line between "manual" and "automated" has been heavily litigated, and many platforms that feel manual qualify as ATDS under court interpretations. Don't rely on a manual-texting argument without specific legal review of your platform.

Keep them for at least four years. The TCPA's federal statute of limitations is four years under 28 U.S.C. § 1658. Some plaintiffs also bring claims under state consumer protection statutes, which can carry longer limitations periods. The practical answer: never delete consent records, and store them in a format that lets you export a specific record quickly if you receive a complaint or a litigation hold notice.

What are quiet hours for SMS marketing texts?

The TCPA's explicit quiet hours apply to telephone solicitation calls: no calls before 8 a.m. or after 9 p.m. in the recipient's local time zone. The FCC has not issued SMS-specific quiet hour rules, but most compliance practitioners and platform providers apply the same 8 a.m. to 9 p.m. window to texts as a conservative standard. Some state laws impose their own time restrictions. Sending promotional texts at 11 p.m. is legal under current federal rules but creates goodwill and deliverability problems even if it avoids a fine.

Do opt-in rules apply to nonprofit organizations?

Nonprofits are not automatically exempt from the TCPA. The statute applies to "any person" and exempts only certain government entities and calls made for emergency purposes. Nonprofits making purely informational or fundraising calls to prior donors may have some latitude under the "established business relationship" doctrine in certain state laws, but that doctrine was eliminated from TCPA rules for robocalls in 2012. For SMS, nonprofits should follow the same written consent process as any other sender.

Sources

  1. U.S. Congress, Telephone Consumer Protection Act (47 U.S.C. § 227): TCPA prohibits using an ATDS to text a cell phone without prior express written consent; damages are $500 per violation, up to $1,500 for willful violations
  2. U.S. Congress, Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001): Electronic signatures, including checked boxes and keyword replies, satisfy the written signature requirement for TCPA consent under E-SIGN
  3. U.S. Congress, 28 U.S.C. § 1658 (Federal Statute of Limitations): Federal statute of limitations for TCPA claims is four years
  4. U.S. Department of Justice, United States v. Dish Network Judgment (2017): Dish Network was ordered to pay $280 million in a 2017 federal Do Not Call and TCPA enforcement action, one of the largest telemarketing judgments on record
  5. U.S. District Court, N.D. California, Facebook TCPA Class Action Settlement (2021): Facebook settled a TCPA class action for $650 million in 2021
  6. The Campaign Registry, 10DLC Registration Overview: 10DLC requires businesses to register brand and campaign details, including opt-in method, before sending marketing SMS at volume through standard 10-digit numbers
  7. California Legislature, Invasion of Privacy Act (Penal Code § 637.2): California CIPA provides $5,000 per violation for certain privacy violations and has been used alongside TCPA claims in SMS litigation
  8. Florida Legislature, Florida Telephone Solicitation Act (FTSA, Fla. Stat. § 501.059): Florida FTSA, amended in 2021, created a private right of action for texts sent using automated systems, with a broader definition than federal TCPA ATDS standard

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit