Text message marketing: rules, costs, and compliance for small business

Text message marketing can cost as little as $0 to start, but one TCPA violation runs $500, $1,500 per text. Here's how to do it right.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-09

Small business owner reviewing marketing text message on smartphone in sunlit shop
Small business owner reviewing marketing text message on smartphone in sunlit shop

TL;DR

Text message marketing lets businesses send promotions, reminders, and alerts to opted-in customers via SMS or MMS. Open rates average around 98%. The legal floor is TCPA compliance: you need prior express written consent before sending marketing texts, a clear opt-out path, and quiet hours. Violations cost $500 to $1,500 per message, per person, with no cap on class size.

What is text message marketing and how does it actually work?

Text message marketing, also called SMS marketing or business texting, means sending promotional or transactional messages to a list of phone numbers via short message service (SMS) or multimedia message service (MMS). You write a message, load it into a platform, and it goes out to everyone on your list at once, or on a schedule, or triggered by a customer action.

The mechanics are simple. A business picks a sending number (a 10-digit long code, a short code like 55555, or a toll-free number), connects it to a texting platform, collects phone numbers with consent, and starts sending. Replies come back into the same platform. Most platforms let you segment lists, automate drip sequences, and track delivery and click rates.

Why do people bother? The open rate on SMS hovers around 98%, compared with roughly 20% for email, according to data cited repeatedly by the Mobile Marketing Association and SMS vendors.[1] That gap is the whole story. People open texts. They don't open email the same way. For a flash sale, appointment reminder, or loyalty offer, that difference in attention is real money.

The catch is that the same intimacy that makes texting powerful makes it legally sensitive. Texts go to personal devices. Federal law treats unsolicited marketing texts the same as robocalls. Getting it wrong isn't a slap on the wrist. It's a federal lawsuit.

What does TCPA say about marketing texts specifically?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, is the primary federal law governing marketing texts.[2] The statute was written in 1991, long before smartphones, but courts and the FCC have consistently applied it to SMS. The law says, in relevant part, that it is unlawful to "make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system" to a wireless number.[2]

The FCC extended that prohibition to text messages years ago, ruling that a "call" under TCPA includes SMS.[3] So every marketing text sent with an autodialer to a wireless number without prior express written consent is a potential violation.

"Prior express written consent" is the operative phrase for marketing messages. The FCC's 2012 rules (effective October 16, 2013) tightened the standard. For telemarketing calls and texts, you need a signed, written agreement that clearly authorizes you to send marketing messages to that specific number, discloses that consent is not a condition of purchase, and identifies the seller.[3] A checked box on a web form works. A verbal opt-in at a trade show does not, at least not for marketing texts.

The statute sets damages at $500 per violation for negligent violations and $1,500 per willful violation.[2] Each text to each recipient is a separate violation. Send a promotional blast to 10,000 people without proper consent and you're looking at $5 million to $15 million in statutory damages before any attorneys' fees. That math is why TCPA class actions are so common. See how settlements play out in real cases: [tcpa.]

There is no administrative cap on total damages in a private lawsuit. Class certification in federal court is common because the damages are fixed by statute, which makes claims easy to aggregate. The Albertsons/Safeway TCPA settlement and UnitedHealthcare's $2.5M TCPA settlement show how fast liability scales when a company sends texts at volume without airtight consent records.

Prior express written consent, captured before you send the first message. That's the short answer, and it's the answer that keeps you out of court.

The FCC's rules require that the consent disclosure (1) clearly authorizes calls or texts to a specific number, (2) states the seller's name, (3) describes the type of messages the person will receive, (4) says that consent is not required to buy anything, and (5) includes the message frequency and potential carrier charges ("Message and data rates may apply").[3] All five elements need to be present before the person clicks agree or submits the form.

A web opt-in form is the most common mechanism for small businesses. The form needs the disclosure language right next to the phone number field, not buried in a privacy policy two links away. Courts have rejected consent forms where the disclosure was separated from the submission button by multiple screens or pages.

Keyword opt-in via short code is another common approach. A customer texts a word like JOIN to your short code. The platform sends an auto-reply confirming enrollment, message frequency, opt-out instructions, and the carrier disclosure. Done correctly, that exchange creates a compliant consent record. Keep the timestamp, the number, and the keyword they sent.

What does not count as consent: a business card, a past purchase, a phone number on a signed contract for a different service, or a list you bought from a third-party data vendor. The FCC has been clear that consent must be specific to the sender and the type of communication.[3] Buying a list and texting it is not a compliance strategy. It's a lawsuit waiting to be served.

One more thing about consent: you need to keep records. If you get sued, the burden of proving consent falls on you as the sender. If your platform doesn't log the opt-in timestamp and method for every number, you have a problem. Pick a platform that exports consent records, and keep them for at least four years (the TCPA's statute of limitations).[2]

TCPA text marketing violation costs at different scales Statutory damages at $500/negligent or $1,500/willful per text, per recipient 1,000 recipients, negligent ($500… $500k 1,000 recipients, willful ($1,500… $1.5M 10,000 recipients, negligent ($50… $5M 10,000 recipients, willful ($1,50… $15M 50,000 recipients, negligent ($50… $25M Source: 47 U.S.C. § 227 (TCPA), as cited in Cornell Law LII

How do opt-out requirements work for text marketing?

Every marketing text program must honor opt-outs immediately and permanently. The FCC requires that you offer a clear, easy mechanism to opt out in every message, and that you process it without charging the subscriber.[3] In practice, this means including "Reply STOP to unsubscribe" (or similar language) in the first message and periodically in later ones.

When someone replies STOP, your platform must suppress that number from future sends, typically within the same business day. Some platforms do it in seconds. Sending another marketing message to a STOP responder is nearly automatic willful violation territory, which bumps the per-text damages to $1,500.

Some people try to get creative here: sending one more "confirmation" message after a STOP that also slips in a promo. Bad idea. FCC guidance says the only message you can send after a STOP is a single confirmation that the opt-out was processed, with no marketing content whatsoever.[3]

For businesses running multiple campaigns or sub-brands on the same number, this gets complicated. A STOP from a recipient applies to that number, full stop. You can't keep them on a "different" list.

Keep a suppression list too. When someone opts out, add their number to a do-not-contact list that lives outside your active subscriber list. That way, if you ever import a new list from another source, you can scrub against your suppression list before sending. Managing your DNC list well is covered in depth in our guide to [text messaging marketing.]

What are the quiet hours and frequency rules for text marketing?

The TCPA itself doesn't spell out quiet hours for texts the way the FCC's telemarketing rules set an 8 a.m. to 9 p.m. window for calls. But the FCC has made clear that the spirit of the TCPA applies, and many state laws fill in specific time windows.[4]

The CTIA (the wireless industry association) publishes messaging guidelines that most carriers enforce as a condition of access to their networks.[5] CTIA guidelines recommend no texts before 8 a.m. or after 9 p.m. in the recipient's local time zone. Violate that, and your carrier or aggregator can suspend your sending number.

State laws add another layer. Florida's amended statute (Fla. Stat. § 501.059), strengthened in 2021, restricts calls and texts to 8 a.m. to 8 p.m. and requires explicit written consent for commercial texts.[4] Oklahoma, Washington, and others have their own variations. If your list is national, build your quiet hours around the most restrictive state on your list, or segment by time zone and send accordingly.

Frequency is not federally capped, but it matters in practice. More than one or two texts per day to the same recipient starts generating STOP replies and carrier complaints. High complaint rates get sending numbers flagged or blocked. There's no rule that says you can only send one text per week, but carriers absolutely watch complaint-to-send ratios and will pull your number if that ratio gets bad enough.

How much does text message marketing cost for a small business?

Costs vary by platform, volume, and whether you want a dedicated short code or a standard long code. Most small businesses can start for under $50 a month.

Platform tierMonthly cost (est.)Messages includedBest for
Free plans (Textedly, SimpleTexting trial, etc.)$050 to 500/monthTesting, under 200 contacts
Entry-level paid$20, $50/month500 to 2,000/monthSmall local business
Mid-market$100, $300/month10,000 to 50,000/monthGrowing SMB
High-volume / agency$500+/month100,000+/monthMulti-location, agencies
Dedicated short code$500, $1,000/month (lease) + setupVariesHigh-volume, brand recognition

Short codes cost real money. The CTIA oversees short code leasing, and a dedicated short code runs roughly $500 to $1,000 per month just for the number, plus provisioning fees that can hit $1,000 to $5,000 upfront, plus the platform fees on top.[5] For most small businesses, a 10-digit long code (10DLC) registered through the major carriers is the right starting point. 10DLC registration costs roughly $4 to $20 one-time and keeps per-message costs low (fractions of a cent for SMS, a couple of cents for MMS).[6]

Free text message marketing for small business is real but limited. Several platforms offer free tiers with genuine sending capability, more than trials. The tradeoff is low monthly message caps and limited automation. If you have a small, engaged list and just need to send a weekly promo, a free plan can work. Once you're sending more than a few hundred texts a month, the economics of a paid plan usually make sense.

The real cost most small businesses underestimate is compliance infrastructure: the time to build proper opt-in flows, the platform features that log consent, and possibly legal review of your disclosure language. Skipping that to save money on a free plan while texting an un-consented list is not savings. It's deferred liability. A single TCPA demand letter from a plaintiff attorney can run you $5,000 to $50,000 to settle, and class actions go much higher. The Credit One TCPA settlement and Cash App TCPA class action show what happens when volume and bad consent practices collide.

What are the best text message marketing platforms for small business?

There's no single best platform. The right one depends on your list size, integration needs, and how much automation you actually want to manage.

For very small businesses (under 500 contacts, occasional sends), platforms like Textedly, SimpleTexting, and EZTexting have free or near-free tiers with enough features to get started. They all support keyword opt-ins, scheduled sends, and basic segmentation.

For businesses with e-commerce integrations (Shopify, WooCommerce), Klaviyo and Postscript are popular because they sync with your store data and let you trigger texts based on cart abandonment, order events, or customer segment. Both have compliance features built in but still require you to configure them correctly.

For businesses that need two-way texting or CRM integration, platforms like Twilio (developer-friendly, not plug-and-play), Salesmsg, and OpenPhone work well. These lean toward relationship-based texting rather than broadcast lists.

When you compare platforms, the compliance questions matter as much as the features. Ask every vendor: Does it log opt-in timestamp and method per contact? Does it honor STOP replies automatically and update a suppression list? Does it support 10DLC registration or include it? Does it let you export consent records? If a vendor can't answer yes to all four, keep looking.

No platform makes you automatically TCPA-compliant. The platform is infrastructure. Compliance comes from how you collect consent, what you say in your opt-in disclosure, and how you manage opt-outs. The tool is only as good as the process behind it.

How do you start a text message marketing program from scratch?

Starting right is much cheaper than cleaning up a mess. Here is a practical sequence.

First, decide what you're actually going to text people. Promotions, appointment reminders, order updates, loyalty perks? The answer shapes your consent language, your frequency, and the platform you pick. Don't build a list and then figure out what to say.

Second, set up your sending number. For most small businesses, a 10DLC long code is the right call. Register it through your platform (most handle this) or directly through The Campaign Registry (TCR), the industry body that manages 10DLC registration for U.S. carriers.[6] Registration requires a business description, EIN, and a description of your messaging use case. Expect 1 to 3 weeks for carrier approval.

Third, build your opt-in flow. If you're capturing numbers on a website, put a form with the full disclosure on your checkout page, signup page, or a dedicated landing page. If you're doing keyword opt-in, set up the auto-reply with all required elements. Do not import old lists without verifiable consent records.

Fourth, send a welcome message the moment someone opts in. Confirm the program name, message frequency, opt-out instructions, and the carrier disclosure. This is the message that sets expectations and proves your consent capture is working.

Fifth, keep your list clean. Run numbers through a carrier lookup tool periodically to remove landlines and disconnected numbers. Scrub against your suppression list before every import. High bounce rates and complaints will get your number flagged.

LeadCompliant's free TCPA compliance kit covers the disclosure language templates and consent checklist you need to get the opt-in flow right before you send your first message.

Sixth, document everything. The moment you have to prove consent in a dispute or lawsuit, you want a log showing the number, the date and time, the method (web form, keyword, paper form), and the exact disclosure the person agreed to. Keep it for four years.[2]

What state laws add rules on top of TCPA for text marketing?

TCPA is the federal floor. Several states have built walls above it, and a few are higher than most businesses expect.

Florida's Telephone Solicitation Act (Fla. Stat. § 501.059), as amended by SB 1120 in 2021, is arguably the most aggressive state-level SMS law in the country.[4] It requires prior express written consent for commercial texts, restricts hours to 8 a.m. to 8 p.m. local time, and allows private lawsuits with $500 per-message damages on top of any TCPA claim. Florida has a huge consumer base and an active plaintiff bar, so ignoring it is a real risk for any national texting program.

California's Consumer Privacy Act (CCPA) doesn't regulate text marketing directly, but it governs how you collect, store, and process the personal data (including phone numbers) of California residents.[7] If a California resident asks you to delete their data, you have to delete it from your texting list too.

Washington, Oklahoma, and Indiana each have telemarketing statutes that courts have applied to texts. They vary in their specifics but generally mirror TCPA consent requirements and add state-level damages.

Texas has Chapter 305 of its Business and Commerce Code, which creates a private right of action tied to telemarketing conduct, and courts have sometimes looked at it in the SMS context, though the application is less settled.

The practical implication: if you're texting nationally, you can't think about TCPA alone. Flag Florida and California for special attention, and watch TCPA news because state activity is picking up. The safest approach for a small business is to build your consent practices to the highest existing standard and apply them everywhere.

What has the FCC done recently that affects text marketing rules?

The FCC has been busy. The most significant recent action is the FCC's one-to-one consent rule, adopted in December 2023 with an effective date in early 2025.[8] Under the rule as written, a lead generation website or comparison shopping site cannot bundle consent for multiple companies in a single checkbox. Each company that wants to text or call a consumer must get its own separate, standalone consent. That directly targets the "text blast from partner companies" model many lead generators relied on.

The FCC also adopted rules in 2023 to strengthen carrier blocking of illegal text messages, including texts from numbers that fail to meet Robocall Mitigation Database requirements or show patterns consistent with SMS pumping fraud.[8] Carriers are now more aggressive about blocking high-volume senders whose traffic looks spammy, even when those senders aren't technically violating TCPA.

In 2024, the FCC also moved on AI-generated content in calls and texts, signaling that disclosures about AI-generated voices or content may become required. That rulemaking was still ongoing as of mid-2025.[8]

For small businesses, the one-to-one consent change is the most practically significant. If you've ever used a shared lead form, a co-registration widget, or bought leads from a comparison site, audit your consent records carefully. Consent that looked sufficient under old rules may not survive scrutiny under the one-to-one standard.

What does a TCPA lawsuit over a marketing text actually look like?

Most TCPA text cases follow a predictable arc. A consumer receives marketing texts they didn't agree to (or texts that kept coming after they sent STOP). They find a TCPA plaintiff attorney. The attorney sends a demand letter or files a class action in federal court.

The complaint will allege: the sender used an automatic telephone dialing system (ATDS), the plaintiff is a wireless subscriber, the texts were for marketing, and there was no prior express written consent (or consent was revoked and ignored). Plaintiffs' attorneys use screenshots of texts, carrier records, and opt-out logs as evidence.

Defenders usually argue one of two things: the system used wasn't an ATDS (a contested area of law after the Supreme Court's 2021 Facebook v. Duguid decision, which narrowed the ATDS definition), or valid consent existed.[9] Without clean consent records, the consent defense is hard to win.

The Facebook v. Duguid ruling matters because it held that an ATDS must have the capacity to use a random or sequential number generator to store or produce numbers, more than store and dial numbers from a list.[9] Some platforms that dial from a pre-loaded list may not qualify as ATDSs under this narrower definition, but courts are still working through the implications, and many state laws and the FCC's own rules don't require an ATDS showing at all.

Settlements are common and expensive. The Truist Bank TCPA class action settlement is a recent example of how quickly these resolve for real money. Small businesses often settle fast because the litigation costs alone, more than the damages, make fighting impractical. A plaintiff's attorney who can credibly threaten a class of 50,000 people at $500 each is threatening $25 million in statutory damages. Even a nuisance settlement at 2% of that is $500,000.

The message isn't that TCPA is unbeatable. Clean consent practices, proper opt-out processing, and good record-keeping stop most cases before they start, because there's nothing for a plaintiff to prove.

Is text message marketing actually worth it for small businesses?

Honestly, yes, when done right, for the right business. A local restaurant running a loyalty text list, a dental practice sending appointment reminders, a boutique retailer announcing flash sales: these are cases where SMS beats every other channel on open rate and response time.

It's not worth it when you treat it like a cold email blast. Texting a rented list of people who never heard of you will generate opt-outs, spam complaints, and potential lawsuits faster than almost any other marketing channel. The intimacy that makes texts effective also makes recipients furious when the texts are unwanted.

The economics for legitimate use are strong. If your average customer is worth $200 in annual revenue and a text campaign reactivates 5% of a 500-person list, that's 25 customers and $5,000 in revenue from a campaign that cost you $20 to send. The ROI math is real.

The compliance overhead is not huge if you build it in from the start. The hard part is changing existing processes: getting your web form updated, training staff not to manually add numbers without consent, keeping your suppression list current. None of that is technically complicated. It just takes discipline.

For small businesses specifically, the free tier of a compliant SMS platform plus a solid opt-in form and a few hours of setup is enough to run a real text marketing program. You don't need an agency or a six-figure tech budget. You do need to take the consent and opt-out requirements seriously from day one.

LeadCompliant's free compliance checklist and consent language templates are a good place to verify your setup before you send your first message.

Frequently asked questions

Yes, for marketing texts. A verbal exchange of a phone number or a business card is not prior express written consent under TCPA. For marketing messages, you need a signed or digitally submitted agreement that specifically authorizes commercial texts. If you collected the number in person, get a follow-up opt-in via a web form, a signed paper form, or a keyword reply before you send promotions.

Can I buy a text marketing list and send promotions to it?

No. Consent under TCPA must be given directly to you as the named sender, for the specific type of messages you plan to send. A list purchased from a third-party vendor does not include valid consent you can rely on. Texting a purchased list is one of the fastest ways to generate TCPA class action exposure. Build your list organically through opt-in forms, keyword campaigns, or point-of-sale capture.

What hours can I legally send marketing texts?

TCPA doesn't set explicit text hours, but CTIA carrier guidelines and most state analogs restrict texts to 8 a.m. to 9 p.m. in the recipient's local time zone. Florida narrows that to 8 a.m. to 8 p.m. If you're texting nationally, use 8 a.m. to 8 p.m. local time as your window to stay inside the most restrictive standard and avoid carrier complaints.

What's the difference between a short code and a long code for SMS marketing?

A short code is a 5 or 6 digit number (like 55555) used for high-volume broadcast texting. It's expensive ($500 to $1,000/month to lease) and requires CTIA vetting. A 10-digit long code (10DLC) is a regular-looking phone number registered through The Campaign Registry for business SMS. It costs a few dollars to register and is the practical choice for most small businesses running under 10,000 messages per month.

How do I handle opt-outs so I don't violate TCPA?

Honor STOP replies immediately, the same day and ideally within minutes via your platform's automatic suppression. Send a single confirmation message with no marketing content. Add the number to a permanent suppression list. Scrub that list against any new imports before sending. Don't enroll someone who opted out in a new campaign without them actively re-opting in. Document the opt-out timestamp for every number.

Does the Facebook v. Duguid Supreme Court ruling make TCPA easier for text marketers?

Somewhat, but don't over-read it. The 2021 ruling narrowed the ATDS definition to systems that generate numbers randomly or sequentially, more than store-and-dial systems. So some SMS platforms may not qualify as ATDSs. But state laws, FCC rules, and carrier policies still impose consent requirements independent of the ATDS definition, and many courts still find TCPA violations on other grounds. Clean consent practices remain necessary.

What is 10DLC registration and do small businesses really need it?

10DLC (10-Digit Long Code) registration is a carrier requirement for businesses sending commercial texts from standard 10-digit numbers in the U.S. The Campaign Registry (TCR) manages it. Without registration, carriers will filter or block your messages. Registration costs roughly $4 to $20 and requires your EIN and a description of your messaging use case. If you're sending business texts at any volume, yes, you need it.

The FCC's one-to-one consent rule, adopted in December 2023, requires that each company seeking to send marketing texts or calls get its own individual consent from the consumer. A single opt-in checkbox covering multiple companies or partners no longer satisfies the standard. That ended the common lead-gen practice of bundled consent forms. If you source leads from comparison sites or co-registration pages, audit whether the consent captured meets the one-to-one standard before texting those numbers.

Can I text existing customers about their account without getting marketing consent?

Purely transactional messages (order confirmations, appointment reminders, fraud alerts, password resets) generally don't require prior express written consent under TCPA, though basic prior consent to contact is still good practice. The key is that the message must be non-promotional and directly tied to an existing transaction or relationship. The moment a transactional text includes a promotional offer or upsell, it shifts into marketing territory and the written consent requirement applies.

What records do I need to keep to defend a TCPA claim about a marketing text?

Keep, for at least four years: the opt-in timestamp, the phone number, the consent method (web form, keyword, paper), the exact disclosure language the person agreed to, and any later opt-out timestamps. If you use a web form, preserve server logs. If you use keyword opt-in, preserve the inbound message log from your platform. The burden of proving consent falls on the sender, not the plaintiff.

Are there free text message marketing tools that are actually TCPA-compliant?

Several platforms have free tiers with compliance features included: Textedly, SimpleTexting, and EZTexting all have limited free plans that support keyword opt-in, automatic STOP processing, and suppression lists. The free tier usually caps you at a few hundred messages per month. The platform being compliant doesn't make your program compliant automatically. You still need a proper opt-in flow and consent records no matter which tool you use.

How does text message marketing work for a business with multiple locations?

Multi-location businesses should decide whether to run one central program or location-specific lists. A central program is simpler to manage for compliance (one consent flow, one suppression list) but requires segmenting sends by location if the content is local. Location-specific lists are more relevant to customers but multiply the compliance workload. Either way, each opt-in must identify which location's or brand's messages the customer is agreeing to receive.

What's the TCPA statute of limitations on a text message marketing claim?

Four years, under 28 U.S.C. § 1658, the general federal statute of limitations for acts of Congress. A plaintiff can sue you today over a text you sent nearly four years ago. That's why compliance record-keeping needs to go back at least four years, and why buying an old list and texting it is dangerous even if some of those contacts were once willing recipients of someone else's texts.

Sources

  1. Mobile Marketing Association, SMS Open Rate Data: SMS open rates average around 98%, significantly higher than email's roughly 20% open rate.
  2. 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits automated marketing texts to wireless numbers without prior express consent; damages are $500 per negligent violation and $1,500 per willful violation; statute of limitations is 4 years.
  3. Florida Legislature, Fla. Stat. § 501.059 (Telephone Solicitation Act, as amended 2021): Florida restricts commercial texts to 8 a.m. to 8 p.m. local time, requires prior express written consent, and allows private damages of $500 per violation.
  4. The Campaign Registry (TCR), 10DLC Registration: 10DLC registration for business SMS in the U.S. costs roughly $4 to $20 one-time and requires EIN and a messaging use case description submitted to TCR.
  5. California Attorney General, California Consumer Privacy Act (CCPA): CCPA governs collection and processing of personal data including phone numbers of California residents, including deletion rights that apply to marketing lists.
  6. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held in 2021 that an ATDS under TCPA must have the capacity to use a random or sequential number generator to store or produce numbers, narrowing the definition that triggers TCPA liability.
  7. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: FTC Telemarketing Sales Rule complements TCPA and governs certain commercial solicitation practices including disclosure and consent requirements for telemarketing.
  8. 28 U.S.C. § 1658, Limitations on Actions: The general federal statute of limitations for acts of Congress, including TCPA, is four years.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit