TCPA SMS marketing compliance rules for 2025

TCPA SMS marketing in 2025 means written consent before every text, $500, $1,500 per violation. Here's every rule you must follow, plain and complete.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Person holding smartphone in sunlit office, SMS marketing compliance concept
Person holding smartphone in sunlit office, SMS marketing compliance concept

TL;DR

TCPA bans marketing texts to cell phones without prior express written consent. FCC rules tightened January 27, 2025, requiring one-to-one consent tied to a single named sender. Violations cost $500 to $1,500 per message. You also need a clear opt-out path, sender identification, and quiet hours from 8 a.m. to 9 p.m. local time. This guide covers every 2025 requirement.

What does TCPA actually require for SMS marketing?

TCPA requires prior express written consent before any marketing text hits a cell phone. Not a shrug, not a verbal yes. A checkbox, a signed form, or a keyword reply that names the company sending the message. Get it wrong and each text is worth $500 to $1,500 to the person who sued you.

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, bars anyone from using an automatic telephone dialing system or an artificial or prerecorded voice to call or text a cellular number without the called party's prior express consent [1]. For marketing messages, the FCC raised that bar to "prior express written consent" in 2013 under its 2012 TCPA Omnibus Order, and the standard has only gotten stricter since [2].

Written consent means the consumer affirmatively agrees, in writing, that a specific company may send promotional texts using an autodialer or prerecorded content. An oral "sure, text me" does not cut it for marketing. The consent has to be voluntary too. You cannot condition a purchase or a service on the consumer handing over that consent [2].

The statute defines prior express written consent as "a written agreement, signed by the person called, that clearly and conspicuously authorizes the seller" to send messages [1]. That's the exact language courts and the FCC reach for when a lawsuit lands.

Purely informational texts (appointment reminders, shipping alerts, two-factor codes) need only prior express consent, not the written kind. But the moment a message promotes a product, a service, or a sale, you are in marketing territory and written consent is mandatory. Most compliance teams treat everything as marketing-grade just to skip the line-drawing fight later.

What changed in January 2025 under the new FCC one-to-one consent rule?

One consent now covers one seller. That's the whole change, and it broke the lead-generation model overnight. The FCC's December 2023 Report and Order (FCC 23-107) took effect for SMS and calls on January 27, 2025 [3]. It killed the practice of collecting a single blanket consent that could then be sold or shared across dozens of unrelated marketing partners.

Under the rule, a consumer's written consent has to be logically and topically related to the website or conversation where it was collected, and it must name the specific seller or sender. Check a box on a mortgage lead-gen form, and that consent covers the named mortgage company. It does not cover the five insurance companies that bought the lead. Every company that wants to text that consumer needs its own individual consent [3].

The FCC's order requires that "a consumer must provide prior express written consent to each individual seller," and consent obtained through a lead generator is valid for a single seller at a time [3]. That one sentence rewrote the shared-lead and aggregated-consent model a large chunk of the lead generation industry had been running on.

Buy leads from a third-party data vendor now, and you have to verify the consent record names your company, not a generic "marketing partners" catch-all. Plenty of vendors are still selling non-compliant records. That is your problem more than theirs. The TCPA puts liability on the sender, not only the consent collector. See tcpa sms compliance for how courts assign that liability.

The CTIA (Cellular Telecommunications Industry Association) updated its messaging principles in 2023 and 2024 to mirror the FCC's direction, requiring explicit program identification at opt-in and one-program-per-consent logic for short code campaigns [4].

What are the TCPA quiet hours for text messages?

Quiet hours run 8 a.m. to 9 p.m. in the recipient's local time. Send outside that window and the text is presumed improper, consent or not. The statute and FCC regulations set the boundary, and it is not yours to bend [1][2].

Here's the trap people fall into. "Local time" means the recipient's time zone, not yours. If you are in Phoenix firing a batch campaign at 8:45 p.m. Mountain Time, every recipient on Eastern Time just got a text at 10:45 p.m. That is a per-message violation. Your sending platform should resolve the area code or ZIP to the right time zone before each message goes out, and it should hold anything that falls outside the window.

Some states go tighter. Florida's Mini-TCPA (Florida Telephone Solicitation Act, amended 2021) restricts calls and texts to 8 a.m. to 8 p.m. local time [5]. Oklahoma and Washington have their own hours too. Market nationally, and building to the strictest common denominator (8 a.m. to 8 p.m. in the recipient's local time) keeps you clear everywhere.

TCPA SMS violation: key numbers for 2025 Federal statutory thresholds and compliance benchmarks every sender should know 500 Statutory damages per negli… violation 1,500 Statutory damages per willf… violation 8 Quiet hours start (local time, 8 AM) 21 Quiet hours end (local time, 9 PM) Source: 47 U.S.C. § 227; FCC 23-107; The Campaign Registry, 2024

What must a compliant SMS opt-in look like?

A compliant opt-in shows who's texting, what kind of texts, how often, that rates may apply, and how to stop, all before the consumer agrees by an affirmative act that names your company. The FCC and CTIA guidelines line up closely here, and courts look for every piece [2][4].

Start with clear and conspicuous disclosure. Before they consent, the consumer must see who is texting them, what kind of messages they'll get (promotional, transactional, alerts), how often, that message and data rates may apply, and how to opt out. Hide this in 6-point font below the fold and you fail the "clear and conspicuous" standard.

Next, an affirmative act. A pre-checked box is not consent. The consumer has to actively check the box, type a keyword, or otherwise signal agreement. Pre-population defeats the voluntariness requirement.

Third, the consent must name your company. A generic "you consent to receive texts from our marketing partners" does not satisfy the 2025 one-to-one rule.

Fourth, keep proof: the timestamp, the IP address or phone number it came from, the exact disclosure language shown at the time, and the specific program or campaign. Retain it for at least four years, since the TCPA's statute of limitations runs four years from the alleged violation [1][10].

SMS double opt-in (where you send a confirmation text and require the consumer to reply YES before messaging starts) is not required under federal law, but it is a strong evidence anchor. If a consumer later swears they never signed up, a confirmation reply in your logs is hard to argue with. The sms double opt-in guide shows how to set this up without friction.

For building the actual intake form, the sms opt-in form walkthrough covers field structure and disclosure placement that survives an audit.

How do opt-out requirements work for SMS?

Once a consumer opts out, you stop. STOP and its variants (UNSUBSCRIBE, CANCEL, QUIT, END) must be honored right away, with no further marketing to that number. Both the FCC and CTIA require it [2][4]. You get one final confirmation text acknowledging the opt-out, and that message cannot carry any promotional content.

The confirmation text is the only exception to the stop-immediately rule, and it has to be brief and purely transactional. Something like "You have been unsubscribed from [Brand] alerts. No further messages will be sent." Anything more risks reading as marketing sent after revocation.

Courts have held that opt-out revocation works even when the consumer skips the magic words. In Van Patten v. Vertical Fitness Group (9th Cir. 2017), the court confirmed the TCPA does not limit consumers to specific keywords when withdrawing consent [11]. Text "please don't text me anymore" and that is a revocation you have to honor.

Scrub your list against opt-outs before every send, more than when the reply lands. If your platform batches sends overnight, a consumer who opted out at 6 p.m. cannot show up in the 7 a.m. batch. The scrub has to happen as close to send time as your system allows.

For the intake process end to end, the sms opt-in article covers both opt-in and opt-out mechanics in one place.

What does every marketing text message need to contain?

Every marketing text needs to identify the sender and give the recipient a way out. TCPA and CTIA guidelines set the expectations, and they are simpler than the consent rules [1][4].

Identification comes first. Every message must clearly identify the sender. The recipient should know who is texting without having to look it up. A cryptic short code number with no name in the body is a problem.

Opt-out reminder next. CTIA best practices call for opt-out language ("Reply STOP to unsubscribe") in every message, or at least periodically, such as the first message and then monthly. Plenty of teams include it in every send to kill any ambiguity.

Message and data rates disclosure is usually handled at opt-in, but if your program ties any recurring billing to SMS, the disclosure belongs in the message too.

Some industries stack more on top. Financial services texts need their regulatory disclosures. Real estate marketing texts carry their own wrinkles around fair housing and state licensing. See real estate text message marketing for how those apply in practice.

Restaurant and hospitality marketers tend to underrate this. A loyalty program text is still a marketing text. The sample text message marketing for restaurants article shows compliant templates with the required elements baked in.

What are the TCPA penalties for illegal text messages?

Penalties run $500 per negligent violation and $1,500 per willful or knowing one, per message, per recipient, with no cap [1]. One campaign can turn into millions in exposure fast. That math is why the plaintiffs' bar treats TCPA like a business line.

Class actions are the real threat. TCPA class settlements regularly hit the tens of millions. Facebook settled a TCPA class action for $650 million in 2021, one of the largest privacy settlements on record. Sunrun settled for $18.8 million in 2022. These are not edge cases. Statutory damages are automatic and require no proof of actual harm, so attorneys aggregate thousands of class members and let the per-message figures do the work.

The FCC can also issue administrative forfeitures, separate from private suits. The agency has proposed forfeitures of $5.1 million and higher against illegal robocall and messaging operations [7]. On SMS specifically, it has moved toward civil actions coordinated with the DOJ.

State attorneys general can bring actions under their own mini-TCPA statutes, often stacking state claims on federal ones. Florida, California, and New York have been the most active [5].

One thing people miss: you can be liable even if you outsourced the texting to an agency or bought the list from a vendor. Courts have held that the seller or brand a text is sent on behalf of can face direct TCPA liability, more than the vendor who pressed send [11].

How does CAN-SPAM relate to SMS marketing compliance?

CAN-SPAM governs commercial email. TCPA governs texts. They run in parallel and do not overlap for SMS [8]. Send a marketing email, CAN-SPAM applies. Send an SMS, TCPA applies. Send both in one campaign sequence, and each medium follows its own rules.

The confusion comes from messages that arrive through email-to-SMS gateways (like texting a 10digitnumber@carrier.com address). The FCC's position is that if the message reaches a cellular number, TCPA consent rules apply to the content no matter how it was routed [2].

CTIA guidelines add a third layer specific to how messages travel across carrier networks. CTIA's messaging principles cover short code compliance, prohibited content categories (certain financial offers, cannabis, firearms where restricted), and campaign registry requirements for 10-digit long codes (10DLC) [4]. Carriers can block or filter non-compliant traffic on their own, independent of FCC enforcement, so CTIA compliance is a practical must even where you might win a legal technicality.

The overlap trips up teams running multi-channel campaigns. TCPA requires written consent before the text goes out. CAN-SPAM runs on an opt-out model, so you can email someone until they say stop. Treat both channels with the same permissive habits and that is where compliance breaks.

Do TCPA rules apply to B2B SMS marketing?

Mostly yes, with a narrow carve-out. The TCPA covers calls and texts to cellular numbers, period. It draws no line between a consumer's personal cell and a business employee's work cell [1]. Text a sales rep's iPhone to pitch your software, and TCPA applies.

The one meaningful B2B exception is the established business relationship (EBR) defense, and it is limited and fragile. EBR can defend certain informational texts to an existing customer, but it does not grant blanket permission for marketing texts, and it does not apply in states like California that stripped it out entirely.

B2B SMS is lower-risk than consumer SMS for one structural reason: recipients are usually employees acting in a business capacity, and courts have occasionally treated their employer's consent to business communications as relevant. Relying on that theory without written consent is a gamble no responsible compliance team should take.

If you run B2B outreach through a marketing text message service, configure it with the same opt-in documentation you'd use for consumer campaigns. The cost of doing it right is small. The cost of getting it wrong is the same $500 to $1,500 per message either way.

For platforms handling both B2B and consumer lead flows, the b2b lead generation platforms gdpr compliance article covers the extra layer that kicks in if any contacts are in Europe.

What is the 10DLC campaign registry and why does it matter?

10DLC (10-digit long code) is the registration system carriers now require before you can send business texts through standard 10-digit numbers. Register your brand and each messaging campaign with The Campaign Registry (TCR), or your traffic gets filtered or blocked. Starting in 2021 and tightening through 2023, AT&T, T-Mobile, and Verizon made this mandatory for application-to-person (A2P) texting [4][9].

Registration means submitting your company name, EIN, use case (marketing, account notification, two-factor auth, and so on), sample message content, and opt-in method documentation. Carriers review and approve campaigns before allowing throughput. Unregistered traffic gets filtered or blocked outright.

This matters for TCPA compliance because your opt-in documentation has to match what you registered. Register a "loyalty program" campaign and then start blasting promotional flash-sale texts, and the carrier can flag or block the traffic. If the FCC or a plaintiff's attorney subpoenas those records, the gap between registered use and actual use is bad evidence.

Fees are modest. Brand registration runs about $4 one-time, and campaign registration is typically $10 to $15 per campaign per month (carrier fees vary and change, so check TCR's current schedule directly) [9]. Skipping registration to save those fees while risking $500-per-message exposure is one of the stranger false economies in marketing.

Short codes (5 or 6 digit numbers) run their own approval process, historically through CTIA's Common Short Code Administration, with a detailed application and carrier review that can take 8 to 12 weeks. Short codes cost $500 to $1,000 per month leased, plus setup fees [4].

What should your compliance checklist cover before sending any SMS campaign?

There is no single official government checklist, but the requirements pull cleanly from 47 U.S.C. § 227, FCC orders, and CTIA guidelines into a practical pre-send review [1][2][3][4].

CheckpointRequirement SourcePass Condition
Written consent obtained47 U.S.C. § 227(b)(1)Documented, timestamped, names your company
Consent is one-to-oneFCC 23-107 (eff. Jan 2025)Not shared with other sellers
Opt-in disclosure was clearFCC / CTIAProgram, frequency, STOP language shown at opt-in
DNC scrub completed47 C.F.R. § 64.1200Checked within 31 days
Send time in 8 a.m. to 9 p.m. local47 U.S.C. § 227(b)(1)(C)Time zone resolved per recipient
Message identifies senderCTIA Messaging PrinciplesCompany name in body
STOP language includedCTIA Messaging PrinciplesReply STOP to unsubscribe
Opt-outs scrubbed before sendFCC / TCPA case lawSuppression list current to send time
10DLC campaign registeredCarrier requirementsApproved for this use case
Consent records retained4-year SOL (28 U.S.C. § 1658)Stored with full audit trail

For a ready-to-use version, LeadCompliant offers a free SMS compliance checklist as part of its one-time compliance kit, covering each federal and CTIA requirement in one downloadable document.

The platform matters too. Your text message marketing software should handle time-zone enforcement, opt-out scrubbing, and consent recordkeeping automatically, not leave them as manual steps you'll forget under deadline.

Stay current on enforcement through tcpa news today and lead generation compliance news. The FCC has signaled more rulemaking is likely in 2025 and 2026.

How do state laws stack on top of federal TCPA rules?

Federal TCPA sets the floor. States build higher. Several passed their own telephone solicitation laws in 2021 and 2022 with stricter consent standards, shorter quiet hours, or extra opt-out requirements [5].

Florida's FTSA (Fla. Stat. § 501.059) is the most consequential. It covers any "automated system" for selecting or dialing numbers, a definition broad enough that some courts have read it to cover software that simply imports a contact list without true random generation. It grants a private right of action, and plaintiffs' attorneys have flooded Florida federal courts with FTSA class actions since mid-2021 [5].

Oklahoma's Telephone Solicitation Act added its own written consent requirement for automated texts. Washington State's Consumer Protection Act has been used alongside TCPA claims. California's CCPA adds a data layer: if a consumer requests deletion, you have to pull them from your texting lists too.

Texas, Georgia, and Michigan have all seen growing state-law SMS litigation. The trend runs toward more state-level activity, not less.

The safest posture: treat TCPA as your minimum, then figure out which state laws apply based on your recipients' area codes and layer in the stricter rules for those states. More work upfront, sure. But a class action in Florida or California costs far more than the audit.

For the federal foundation before you layer state law on top, the tcpa overview walks the full statutory framework.

Frequently asked questions

Yes. Filling out a contact form is not consent to receive marketing texts under the TCPA. The form must carry clear opt-in language naming your company, describing the messages they'll receive, and including a STOP instruction. The consumer has to affirmatively check a box or provide written agreement. Without that, you cannot send a promotional text, not even a single one.

What is the statute of limitations for TCPA SMS lawsuits?

Four years. The federal catch-all statute of limitations at 28 U.S.C. § 1658 applies to TCPA claims, giving plaintiffs four years from the alleged violation to file. That's why compliance teams retain consent records, opt-in timestamps, and message logs for at least four years. Some state claims carry different limitation periods that run concurrently.

Can I text someone who gave me their number verbally or on a business card?

Not for marketing. A business card or a verbal number exchange is not prior express written consent under the TCPA. You can call that number (check the DNC list first), but marketing texts need a signed written agreement that specifically authorizes your company to send automated or prerecorded texts. Written, here, includes electronic signatures and digital checkbox agreements.

Does TCPA apply to texts sent from a regular cell phone without an autodialer?

This is genuinely contested after the Supreme Court's 2021 Facebook v. Duguid decision. That ruling narrowed the autodialer definition to equipment using a random or sequential number generator to produce or store numbers. Peer-to-peer texts from a live human on a standard phone are generally outside autodialer liability. Platform-assisted mass texting almost always qualifies, and some state laws (Florida's FTSA) use broader definitions covering software-assisted sending.

Significantly. Lead generators can no longer collect one consent and sell it to multiple buyers. Each buyer needs consent that names their company specifically. Lead gen companies now have to restructure opt-in flows so each partner is disclosed individually, or sell leads with no texting rights attached. Many existing models were non-compliant the day the rule took effect, January 27, 2025.

CTIA is the wireless industry trade association. It lacks statutory authority like the FCC, but its messaging principles are contractually binding on anyone using carrier networks through most SMS platforms and aggregators. Carriers can filter or block non-compliant traffic based on CTIA standards. Ignoring CTIA guidelines also looks bad in TCPA litigation, since it shows industry norms were disregarded.

What counts as an automated telephone dialing system for SMS under TCPA?

After Facebook v. Duguid (2021), an ATDS is equipment with the capacity to use a random or sequential number generator to store or produce phone numbers and dial them. For SMS, bulk texting platforms that queue and send automatically almost certainly qualify, while a sales rep manually texting from their phone probably does not. Courts keep litigating the edges of this definition.

Yes, and that's exactly what you should do. If your list has consent that's old, undocumented, or collected under a third-party blanket model, run a re-permission campaign through a channel where you still hold clear rights (email, for instance) and get fresh documented consent before resuming SMS. Do not assume old consent holds, especially after the January 2025 rule change.

Are there SMS message frequency limits under TCPA?

The TCPA sets no specific message-per-month cap, but CTIA guidelines recommend disclosing message frequency at opt-in (for example, "up to 4 messages per month") and sticking to it. Sending well beyond the disclosed frequency can be used as evidence of bad faith in litigation and may violate state consumer protection laws around deceptive practices.

Does a text message need to include an opt-out reminder every time?

Federal law does not explicitly require opt-out language in every message, but CTIA best practices call for it in the first message and then at regular intervals (at minimum monthly for recurring programs). Many compliance teams include STOP language in every send to avoid ambiguity. Repeatedly omitting it gets cited as an aggravating factor in TCPA settlements.

What is the difference between a short code and a 10DLC number for compliance purposes?

Short codes (5-6 digits) go through a formal carrier approval process taking 8-12 weeks and cost $500-$1,000 per month to lease. 10DLC uses standard 10-digit numbers registered through The Campaign Registry, with brand registration around $4 and campaign fees of roughly $10-$15 per month per carrier. Both require documented opt-in flows. Short codes offer higher throughput and more carrier trust; 10DLC is far more accessible for smaller senders.

Do TCPA quiet hours apply to transactional texts like shipping confirmations?

The FCC's quiet hours (8 a.m. to 9 p.m. local time) technically apply to all autodialed calls and texts covered by the TCPA. In practice, most enforcement and litigation targets marketing messages. Still, a 2 a.m. shipping confirmation sent via an automated platform sits outside the safe window. Build time-zone enforcement into your sending logic and you cover both use cases with the same infrastructure.

Can customers sue me directly under TCPA, or only the government?

Both. The TCPA has a private right of action, so individual consumers can sue with no government involvement and collect $500 per violation, or $1,500 for willful ones. The FCC and state attorneys general can bring separate enforcement actions on top. That private right of action drives the class action wave, since plaintiffs' attorneys aggregate thousands of class members and seek statutory damages without proving actual harm.

Sources

  1. U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA prohibits autodialed or prerecorded calls/texts to cell phones without prior express consent; sets $500-$1,500 statutory damages per violation; restricts contact to 8 a.m.-9 p.m. local time
  2. CTIA, Messaging Principles and Best Practices: CTIA requires explicit program identification at opt-in, one-program-per-consent logic, opt-out keyword honoring, and 10DLC campaign registry compliance for A2P messaging on US carrier networks
  3. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA restricts automated texts to 8 a.m.-8 p.m. local time, uses a broader autodialer definition than federal TCPA, and allows private right of action per violation
  4. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to equipment using random or sequential number generator to store or produce numbers; peer-to-peer manual texting generally outside TCPA autodialer liability
  5. U.S. Federal Trade Commission, CAN-SPAM Act: A Compliance Guide for Business: CAN-SPAM (15 U.S.C. § 7701) governs commercial email, not SMS text messages; separate from TCPA which governs calls and texts to cellular numbers
  6. The Campaign Registry, Registration and Fees: 10DLC brand registration fee approximately $4 one-time; campaign registration $10-$15 per campaign per month per carrier; required before A2P SMS throughput on major US carrier networks
  7. U.S. Government Publishing Office, 28 U.S.C. § 1658, Four-Year Catch-All Statute of Limitations: Federal four-year statute of limitations applies to TCPA claims; consent and message records should be retained at least four years
  8. U.S. Court of Appeals, Ninth Circuit, Van Patten v. Vertical Fitness Group, 847 F.3d 1037 (9th Cir. 2017): Ninth Circuit confirmed TCPA does not limit consumers to specific opt-out keywords; any clear expression of revocation must be honored by the sender

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit