Last updated 2026-07-09

TL;DR
Text message marketing works, but the Telephone Consumer Protection Act (47 U.S.C. § 227) sets hard rules: written consent before sending, a clear opt-out path in every message, and no texts before 8 a.m. or after 9 p.m. local time. Violations cost $500 to $1,500 per text. Follow the consent, content, timing, and recordkeeping rules in this guide and you drop your exposure fast.
What are the basic legal rules for text message marketing?
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, is the law that governs marketing texts in the United States. [1] It requires prior express written consent before you send any marketing text to a consumer's cell phone. Not verbal consent. Written. The FCC's 2012 order (FCC 12-21) tightened the rule to require that consent be in writing and clearly authorize autodialed or prerecorded marketing messages. [2]
The statute at 47 U.S.C. § 227(b)(1) reads: "It shall be unlawful for any person within the United States...to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice." Courts have applied that language to SMS. [1]
Beyond the TCPA itself, the FCC's rules at 47 C.F.R. § 64.1200 say marketing calls and texts may only go out between 8 a.m. and 9 p.m. in the recipient's local time. [3] The FCC's one-to-one consent order (FCC 23-107) went further. As of January 2025, a lead or consent form cannot bundle consent for multiple sellers at once. Each seller needs its own individual consent capture. [4]
State laws stack on top. Florida's Mini-TCPA (SB 1120, effective July 2021) bans calls and texts to Florida numbers made with auto-dialers without prior express written consent, and gives consumers a private right of action worth $500 per violation. [5] Washington, Oklahoma, and other states have their own versions. Check state law for the recipient's area code, not only the federal rules.
The short version: get written consent per sender, text only between 8 a.m. and 9 p.m. local, honor opt-outs the moment they come in, and keep records. Everything else in this guide is about doing those four things reliably.
What does prior express written consent actually require?
Consent for marketing texts must be prior (obtained before you send anything), express (not implied by a business relationship), and written. The FCC counts electronic signatures, web form submissions, and typed agreements as written, so a checkbox on a landing page qualifies if it meets the other conditions. [2]
The disclosure has to tell the signer, in plain language: (1) they are agreeing to receive autodialed marketing texts, (2) from whom, (3) that consent is not required to buy anything, and (4) how to opt out. Bury that in a general privacy policy or terms of service and it does not count. The capture must be clear and conspicuous, which courts read to mean the disclosure sits close to the checkbox and reads without scrolling past unrelated content.
The January 2025 one-to-one rule matters most if you buy leads. Your company has to be named on the original opt-in form. Consent captured by a lead generator that lists thirty sponsors does not protect you after that rule took effect. [4] It wrecked a lot of lead-gen models. Companies that kept buying shared leads piled up exposure fast. See the text message marketing overview for how that consent chain should be structured.
Store the consent record with a timestamp, IP address, the exact disclosure language shown, and the form URL. You will need it if you get sued. Courts have thrown out TCPA claims where defendants produced clean consent records. Companies that could not prove consent have paid millions. The Credit One TCPA settlement shows what happens when consent records are disputed.
One practical note. Phone numbers get reassigned. The FCC's Reassigned Numbers Database (RND) lets you check whether a number changed hands since you captured consent. [6] If you text someone who took over a number from your consenting customer, you have no valid consent for the new owner. Scrubbing against the RND before each campaign is cheap next to defending a class action.
What do compliant marketing text messages look like? (examples)
Concrete examples help more than abstract rules. Here are a few patterns that check the right boxes.
Promotional offer with opt-out: "Hi [First Name], this is Apex Roofing. Your neighbor just booked a free inspection. Text STOP to opt out. Reply YES to grab one of the 3 slots left this week: [link]"
That message names the sender, states the offer, and puts the opt-out instruction right in the text. It does not claim consent is required to get the offer. It does not go out before 8 a.m. or after 9 p.m.
Appointment reminder with opt-out (transactional, lower risk): "Reminder from Main Street Dental: your cleaning is Thursday 7/10 at 2 p.m. Reply STOP to opt out of texts. Questions? Call 555-0100."
Transactional reminders sit in a different TCPA category. They do not require prior express written consent if they are purely informational with no marketing content. Adding an opt-out is still smart, and many messaging platforms require it in their terms.
Re-engagement with double opt-in confirmation: "You signed up for deals from ClearWater Pool Supply. Reply YES to confirm and get 15% off your next order. Reply STOP to never hear from us. Msg&data rates may apply."
This is a confirmed opt-in flow. You send one message asking for confirmation, which lowers your risk even if the original form capture had gaps.
What to avoid: sending texts without naming your business, dropping the opt-out instruction, firing at 7:45 a.m. because you forgot to check time zones, and blasting numbers scraped from a website or bought off a list with no documented consent. Each of those is a routine fact pattern in TCPA class actions. The UnitedHealthcare $2.5M settlement and the Albertsons/Safeway settlement both involved consent gaps at scale.
Here is a rule of thumb. If you had to read your message out loud to a compliance attorney, would you be comfortable? If not, rewrite it.
How do you handle opt-outs and stay compliant?
The TCPA does not spell out an SMS opt-out mechanism the way the CAN-SPAM Act does for email, but FCC rules and industry practice have settled on a clear standard: honor STOP, UNSUBSCRIBE, CANCEL, END, and QUIT right away. Most SMS platforms process these automatically. Verify that yours does, because a platform that lets even one more message go out after someone texts STOP is handing you liability.
Once someone opts out, do not text them again for marketing. That sounds obvious. The failure mode usually lives in the CRM, not the SMS platform. If the opt-out lands in your SMS tool but your CRM still flags that contact as active, a new campaign queued from the CRM can pull them right back in. Sync opt-outs across every system that touches the number.
FCC rules let you send one final confirmation text after an opt-out, telling the person you processed the request and will not contact them again. That confirmation is allowed even without active consent. [3] Keep it short: "You've been unsubscribed from [Company] texts. No more messages will be sent."
Keep opt-out records. If a plaintiff claims they texted STOP and you kept sending, your only defense is a log showing the opt-out was processed and no marketing texts followed. Those logs have saved companies. The absence of those logs has cost them. The Cash App TCPA class action settlement involved claims about messages sent after consumers had opted out.
One more thing. People sometimes re-opt-in after opting out, which is fine. Document the re-opt-in the same way you documented the original consent, with a timestamp and the disclosure language.
What are the rules on timing and frequency for marketing texts?
The FCC quiet-hours rule is 8 a.m. to 9 p.m. in the recipient's local time. [3] So you cannot schedule a blast for 8:00 a.m. Eastern and let it hit Pacific numbers at 5:00 a.m. Your platform has to apply timezone logic at the individual number level, not the campaign level.
Frequency has no federal cap, but two practical limits apply. First, your consent disclosure may have named a frequency. If you told someone they would get up to four texts a month and you send fifteen, your consent arguably did not cover the extra eleven. Second, state consumer protection laws and some telemarketing rules treat excessive contact as harassment. There is no universal line, but a spike in your unsubscribe rate after a campaign is a signal you sent too many.
Benchmarks vary by sector. Retail SMS programs usually send two to four promotional messages per month. Real estate and financial services teams tend to send fewer, partly because the dollar stakes per message run higher and partly because over-sending in those sectors has produced expensive litigation.
Time zones outside the continental U.S. matter too. Hawaii is UTC-10, and Alaska shifts. If your list includes area codes 808 (Hawaii) or 907 (Alaska), your 8 a.m. Eastern campaign lands in the middle of their night unless you have timezone suppression set up.
Outbound sales teams sending one-to-one texts get the same quiet-hours rule, even when a rep texts by hand from a business phone. A sales rep who texts a lead at 10 p.m. from a personal phone because it is convenient is still subject to the TCPA if the app has auto-dialer characteristics. This is about more than software platforms.
Do you need to scrub against the National Do Not Call Registry for texts?
Yes. The National Do Not Call (DNC) Registry at the FTC covers telephone solicitations, and the FCC has confirmed that text messages count as solicitations under the relevant rules. [7] If a number sits on the DNC registry, you cannot send unsolicited marketing texts to it unless you have an existing business relationship (an FCC-defined transaction within 18 months, or an inquiry within three months) or prior express written consent.
Valid prior express written consent overrides the DNC restriction for texts, the same way it does for voice calls. But if your consent capture has any gap, the DNC registration becomes a separate line of defense for the consumer and a separate source of liability for you.
The FTC charges $72 per area code per year to access the registry, or roughly $19,700 for all area codes. [8] That sounds like a lot until you put it next to per-text statutory damages. Companies that skip DNC scrubbing on large lists are making an actuarial bet that nobody on the list sues. That bet has a bad track record. See current TCPA news for recent enforcement patterns.
The internal DNC list matters too. Once a consumer asks not to be called or texted, whether or not they are on the national registry, you must add them to your internal DNC list and honor it for at least five years. [7] Both lists, the national registry and your internal one, need a check before every campaign send, not once at list acquisition.
What records do you need to keep for SMS compliance?
TCPA litigation is almost entirely a records problem. The statute is not that complicated. The hard part is proving you complied. Here is the minimum documentation set for each marketing text program:
1. Consent records: timestamp, source URL, IP address, the exact disclosure language shown at capture, and the consumer's affirmative action (checkbox value, signature, or reply text). 2. The opt-in confirmation message, if you use a double opt-in flow, including the message body and delivery timestamp. 3. Sent message logs: every message sent, to which number, at what time in the recipient's local time, and from which campaign. 4. Opt-out records: the text received, the timestamp, and the confirmation message sent back. 5. DNC scrub logs: date of scrub, registry version accessed, and the list version scrubbed. 6. Any revocation of consent received through channels other than SMS (email, phone call, written letter), with a timestamp and the suppression action that followed.
How long do you keep them? The TCPA's four-year statute of limitations means at least four years of records, and class action discovery windows can reach further back if the court certifies a class. Five years is the safer standard.
Store these records so they are searchable by phone number. If a plaintiff's attorney sends a litigation hold naming a specific number, you need to pull the complete record for that number fast. An unsearchable archive is almost as bad as no archive.
LeadCompliant has a free compliance kit with consent record templates and opt-out log structures calibrated to what TCPA defendants actually need in discovery. You do not have to build the documentation framework from scratch.
How much does a TCPA violation from a marketing text actually cost?
The statute sets damages at $500 per negligent violation and $1,500 per willful or knowing violation. [1] Send a single campaign to 10,000 people with a consent gap a court finds willful and you are looking at $15 million in statutory exposure before attorneys' fees.
Class actions drive the real cost. A single plaintiff can anchor a class of thousands or millions, and TCPA settlements tend to track the statutory math even after a discount. The Truist Bank TCPA class action settlement is a useful read on how consent gaps in financial services texts turn into class exposure.
Individual suits are more common than most small businesses expect. A consumer who gets three texts without consent can sue for $1,500 per text, or $4,500 total, in small claims court in many states with no attorney needed. That is not a big case. Multiply it by five plaintiffs plus the cost of defense and you are spending real money. Some plaintiffs' attorneys run high-volume individual-suit operations aimed straight at small businesses without clean consent documentation.
The table below shows how exposure scales with list size and per-violation damages.
What are the biggest compliance mistakes SMS marketers actually make?
After years of TCPA litigation, the mistake patterns are well documented. Here are the ones that show up most in settlements and court decisions.
Buying lists. You did not capture the consent. The list seller may swear the numbers are opted in, but you need the actual consent records to verify that. If you cannot audit the documentation, treat the list as non-compliant. The Joseph Snyder Credit One TCPA case shows how purchased or reassigned-number issues become individual TCPA claims.
Checkbox buried in terms. A generic "I agree to terms and conditions" box does not meet the clear and conspicuous written consent standard for marketing texts. Courts have rejected this again and again.
No timezone logic in the sending platform. A single blast scheduled for 9 a.m. Eastern hits Pacific numbers at 6 a.m. if the platform does not adjust. Check the setting before you send.
Opt-out not synced across systems. The CRM still shows the contact as active after the SMS platform records the STOP. The next campaign re-adds them. This is probably the single most common cause of texting-after-opt-out claims.
Reassigned numbers. You have valid consent from a customer who gave up a number three years ago. The carrier reassigned it. Now you are texting a stranger. Scrub the Reassigned Numbers Database before each campaign. [6]
Winback campaigns to old lists. A contact who has not engaged in two years, or who predates your current consent documentation, is a consent gap waiting to become a lawsuit. Verify the consent record exists and is in scope, or suppress them.
Group texts using personal phones. A sales manager who texts 50 leads from an iPhone group-text feature may trigger ATDS concerns depending on the software stack. Use a dedicated business messaging platform with consent management built in.
For a checklist version of these mistakes, LeadCompliant's free TCPA compliance checkers are a practical starting point, especially for teams standing up an SMS program for the first time.
How do state laws change what you need to do?
Federal TCPA is the floor. States can go further, and several have.
Florida's SB 1120 (effective July 1, 2021) added a state-level private right of action for texts made with an automated system to Florida numbers without prior express written consent. [5] It covers calls and texts, carries a $500 per-message minimum damages floor (matching the TCPA), and Florida courts have been busy venues for TCPA and mini-TCPA suits.
Washington State's Commercial Electronic Mail Act covers email, but its broader telemarketing rules touch SMS too. Oklahoma, Maryland, and other states have their own variants. The trend runs toward more state-level enforcement, not less.
California deserves a separate mention. It does not have an SMS-specific statute like Florida's SB 1120, but the California Consumer Privacy Act (CCPA) and the Invasion of Privacy Act (CIPA) both create separate liability for how you handle consumer data tied to your marketing list. Text California residents and your consent capture also has to address CCPA data-handling disclosures. [9]
The practical approach for multi-state programs: find the states that show up most in your area codes, check whether they have mini-TCPA statutes with private rights of action, and set your compliance standard to the strictest applicable law. Running separate compliance tracks per state usually costs more than applying the strictest standard to everyone.
What should your SMS marketing program documentation look like end-to-end?
Think of your SMS compliance program as four systems that have to talk to each other: consent capture, list management, sending, and suppression.
Consent capture is the landing page, web form, or point-of-sale terminal where the consumer agrees. It has to display the disclosure language clearly, record the submission with timestamp and IP, and push that record to your list management system with the number, consent type, and consent source URL.
List management is wherever you store contacts before a campaign. It has to receive opt-outs from the sending platform, pull numbers off send lists, and log the suppression event. It also has to run DNC scrubs and reassigned-number scrubs before it generates a send list. Not before you load contacts into the platform. Before it builds the list.
Sending is the SMS platform. It has to enforce quiet hours by recipient timezone, process opt-out keywords immediately, send opt-out confirmations, and pass opt-out events back to list management. Major platforms (Twilio, Bandwidth, Sinch) do these things, but verify the configuration. Do not assume the defaults are set right.
Suppression is the combined internal DNC list that aggregates opt-outs across every channel: SMS STOP, email unsubscribe, phone call request, written request. Any suppression from any channel goes here, and every send list passes through the filter.
If any of these four systems does not connect to the others, you have a compliance gap. The gap is where the lawsuits come from. Audit the handoffs between systems at least once a quarter, because platforms update their APIs and the connections break without anyone noticing.
For teams building this from scratch, look at text messaging marketing for platform selection guidance alongside the compliance framework.
Does the TCPA apply to one-to-one sales texts from a rep's business phone?
This is genuinely contested, and nobody has perfectly clean data on where courts will land for every fact pattern. The closest authoritative answer sits in how courts read the definition of an Automatic Telephone Dialing System (ATDS). The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed that definition: a system has to use a random or sequential number generator to store or produce numbers to qualify. [10] That decision cut TCPA exposure for manual one-to-one texts sent from a phone where the rep picks the recipient individually.
But "manual" is doing a lot of work in that sentence. If a rep uses a CRM with a click-to-text feature that queues outbound messages, or a power dialer that sequences through a list, those systems may still count as an ATDS even after Duguid. The platform's architecture matters, and plaintiff attorneys have gotten creative about pleading ATDS claims against sales automation tools.
The practical safe harbor: document that each text was individually composed and sent with the rep choosing the recipient. That gets harder to maintain at scale, which is why larger programs use platforms with real consent management instead of running everything through individual rep phones.
Even if the ATDS question goes your way, you still need prior express written consent for marketing texts (as opposed to purely transactional ones), quiet-hours compliance, and opt-out honoring. The ATDS question affects one leg of the analysis. It does not knock out the others.
Frequently asked questions
Can I text someone who gave me their number on a paper form?
Yes, if the paper form carried a clear consent disclosure saying they agreed to receive autodialed marketing texts from your company, that consent is not required to buy, and they signed or initialed it. Scan or photograph the signed form and log it with a timestamp and the form version. Paper consent is valid under FCC rules. The risk lives in documentation completeness, not the medium.
How quickly do I have to honor a STOP request?
Immediately, in practice. The FCC has not published a specific number of minutes, but courts have found violations where a marketing text went out after a STOP arrived in the same campaign. Your SMS platform should suppress the number in real time. Confirm in your settings that opt-out processing is not batched or delayed. One message after a STOP is a separate TCPA violation.
Does the 8 a.m. to 9 p.m. rule apply to transactional texts too?
The FCC quiet-hours rule at 47 C.F.R. § 64.1200 applies to telephone solicitations, which covers marketing texts. Purely transactional texts (appointment reminders, delivery notifications, two-factor codes) are not solicitations and technically fall outside the rule. But sending a transactional text at 3 a.m. is a fast way to generate complaints and possible state-law claims. Apply quiet hours to everything as default policy.
Is there a maximum number of texts I can send per month?
Federal law sets no per-month cap. But your consent disclosure may have named a frequency (for example, "up to 4 msgs/month"), in which case sending more arguably exceeds the scope of consent. State consumer protection laws can treat excessive contact as harassment. Practically, unsubscribe rates and spam complaints spike sharply past about four promotional texts per month for most retail lists, which is its own signal to slow down.
What is the difference between prior express consent and prior express written consent?
Prior express consent (spoken or written) covers non-marketing informational calls and texts. Prior express written consent is required for marketing or promotional texts, meaning any text meant to encourage a purchase or promote goods or services. The written standard has applied to marketing texts since the FCC's 2012 order (FCC 12-21). Verbal consent alone does not authorize marketing texts.
Can I text someone after they purchase from me without getting separate SMS consent?
You can send purely transactional texts (order confirmations, shipping updates) based on the transaction without separate written consent. You cannot send marketing texts based on the purchase relationship alone. The existing business relationship is a defense to DNC registry claims but is not a substitute for prior express written consent under the TCPA for marketing texts. Get explicit SMS marketing consent at checkout.
What should I do if I receive a TCPA demand letter about my SMS program?
Do not ignore it. Pull the consent record for the number named in the letter right away. If the record is clean and complete, that documentation is your primary defense. If there is a gap, talk to a TCPA attorney before you respond. Do not delete or modify any records after the letter arrives; that triggers spoliation risk. Place a litigation hold on all records tied to that number and the campaign it came from.
Do I need a separate consent for every company in my corporate family?
After the FCC's one-to-one consent order (FCC 23-107, effective January 2025), effectively yes. A consumer who consented to texts from Parent Co. has not necessarily consented to texts from Subsidiary Co. if Subsidiary Co. was not named in the disclosure. Each legally distinct entity that sends marketing texts should have consent disclosures that name it specifically. Review your forms if you operate under multiple brand names or legal entities.
Are B2B text messages covered by the TCPA?
The TCPA applies to calls and texts to cell phones whether the recipient is a consumer or a business person. If the number is a mobile phone, the TCPA applies. The FCC has not created a broad B2B exemption for cell numbers. Some courts have found that texts to business landlines fall outside TCPA scope, but reaching a business contact on their mobile still means you need prior express written consent for marketing content.
How do I prove consent if a plaintiff claims they never opted in?
You need the consent record: IP address, timestamp, the URL of the form they submitted, the exact disclosure language displayed, and the checkbox or signature value. If you run a double opt-in flow, the inbound confirmation reply is extra proof. Courts have dismissed TCPA claims when defendants produced detailed consent records. Without that documentation, a he-said-she-said dispute tends to favor the plaintiff, because the statute puts the burden on the sender.
What is the Reassigned Numbers Database and do I have to use it?
The FCC's Reassigned Numbers Database (RND) is a registry of phone numbers that have been disconnected and reassigned to new subscribers. The FCC launched it in 2021. Using it is not technically mandatory, but the FCC created a safe harbor: scrub against the RND before texting, and if the database shows no reassignment, you have a defense against claims from the new number holder. Skip it and you lose that safe harbor when you reach a reassigned number.
Can I text someone who filled out a contact form on my website if I did not mention texts?
No. A general contact form submission or a quote request is not prior express written consent for marketing texts. The capture has to specifically disclose that the person agrees to receive autodialed marketing text messages, from whom, and that consent is not required to receive service. A contact form without that language gives you permission to respond to the inquiry, nothing more.
What are the required elements of every marketing text message?
The FCC and best-practice standards call for clear sender identification (your business name), the promotional content or call to action, an opt-out instruction (STOP to opt out or equivalent), and, for initial messages to new subscribers, a disclosure that message and data rates may apply. Some platforms also require a short program description on the first message. Keep these elements in every outbound marketing text, not only the first one.
Is A/B testing different message versions a compliance risk?
A/B testing message content does not add TCPA risk as long as both versions follow the same rules: sender identified, opt-out included, sent within quiet hours, to consented numbers. The risk shows up if one variant drops the opt-out language to test response rates, or if the test expands to a segment that was not in the original consented list. Run A/B tests only on compliant message versions and within consented lists.
Sources
- Cornell LII, 47 U.S.C. § 227 (TCPA statute text): TCPA prohibits autodialed calls/texts without prior express consent; damages are $500 per violation, trebled to $1,500 for willful violations
- FCC, 47 C.F.R. § 64.1200 (implementing rules for TCPA), via eCFR: FCC rules prohibit telephone solicitations before 8 a.m. or after 9 p.m. in the recipient's local time
- Florida Legislature, SB 1120 (Florida Mini-TCPA, 2021): Florida SB 1120 effective July 1, 2021 bans autodialed calls and texts to Florida numbers without prior express written consent, with $500 minimum damages per violation
- FCC, Reassigned Numbers Database (official program site): FCC launched the Reassigned Numbers Database in 2021; compliance with RND scrubbing creates a safe harbor against TCPA claims from new number holders
- FTC, National Do Not Call Registry (DNC Registry rules and business access): DNC registry applies to text message solicitations; companies must maintain internal DNC lists and honor do-not-contact requests for at least five years
- FTC, DNC Registry fee information (National Do Not Call Registry for businesses): FTC charges $72 per area code per year for DNC Registry access as of recent fee schedules, with a capped annual fee for all area codes
- California Attorney General, CCPA information page: California Consumer Privacy Act imposes data handling and disclosure obligations relevant to marketing contact lists for California residents
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held in 2021 that an ATDS must use a random or sequential number generator to store or produce numbers; narrowed TCPA ATDS definition
- FTC, Telemarketing Sales Rule (16 C.F.R. Part 310): FTC Telemarketing Sales Rule governs telemarketing practices including internal DNC list requirements and applies alongside TCPA