Last updated 2026-07-09

TL;DR
Business text marketing works. SMS open rates run around 98% against roughly 20% for email. But every promotional text sent without prior express written consent can trigger a $500 to $1,500 TCPA damages claim. You need three things: written consent, a working opt-out, and records you can hand a court. Get those right and SMS is one of the highest-ROI channels you can run.
What is text messaging for business marketing, and why does compliance matter so much?
Text marketing is sending promotional, transactional, or relationship messages to customers and prospects over SMS or MMS. A retailer texting a coupon code. A dental practice sending an appointment reminder. A SaaS company nudging a free trial. All of those are business texts, and they all fall under one federal statute: the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1].
The stakes are high because the TCPA gives consumers a private right of action. Anyone who gets an unwanted commercial text can sue you directly, no regulator required. Damages run $500 per violation for negligence and $1,500 per violation when the conduct is willful [1]. One blast to 10,000 people without proper consent is $5 million to $15 million in exposure before a single lawyer bills an hour.
That's not hypothetical. UnitedHealthcare paid $2.5 million to resolve alleged TCPA violations, and large retailers like Albertsons and Safeway settled TCPA class actions over text campaigns gone wrong. The pattern repeats. A company launches an SMS program, shortcuts the consent step, and lands in litigation that costs more than the campaign ever earned.
Here's the good news. The rules are knowable. The FCC has issued detailed orders interpreting the TCPA, and if you follow them, you have a defensible program. The rest of this guide walks through exactly what they require.
What federal law governs business text messages?
The main law is the Telephone Consumer Protection Act, passed in 1991 and codified at 47 U.S.C. § 227 [1]. The statute originally targeted autodialed phone calls. The FCC's rules extended it to texts. Since at least 2003 the agency has treated an SMS message as a "call" under the TCPA, so every restriction in the statute applies to texts too [2].
The FCC's rules require "prior express written consent" for marketing texts sent using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice [2]. That written consent has real requirements. It must be signed (an electronic signature counts), it must authorize messages from the specific sender, and it must disclose that consent is not a condition of purchase [3].
The statute at 47 U.S.C. § 227(b)(1)(A) makes it unlawful "to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system... to any telephone number assigned to a... cellular telephone service" [1]. The FCC reads "call" to include texts.
Two other federal laws touch SMS. CAN-SPAM covers commercial email and barely overlaps with text, but the FTC's enforcement stance there shapes how regulators view deceptive mobile marketing. The Do Not Call Registry, run by the FTC, applies to voice calls and not to texts. Several state laws create DNC-style protections for texts anyway, which the state-law section below covers.
What type of consent do you need before sending a marketing text?
There are three consent tiers under the TCPA, and picking the wrong one is one of the most common mistakes in SMS marketing.
Prior express consent covers purely informational messages, like a bank fraud alert or a flight delay. Lower bar. The customer just gave you their number in a context where that kind of message was reasonable to expect.
Prior express written consent is required for any text that is "telemarketing" or "advertising" under the FCC's definitions, meaning it promotes the sale of a product or service [3]. This is what most business marketing texts need. The consent must be in writing (electronic signatures work), name the company that will be texting, describe the type of messages, and state that consent is not a condition of purchase.
There is no consent that makes it safe to text a number on the national DNC registry when a marketing message lacks written consent. The TCPA's written-consent rule for texts is stricter than the DNC rules anyway, so getting consent right solves both problems.
The FCC's 2024 one-to-one consent order, effective January 2025, tightened things further [4]. A lead-gen consent form that authorized "marketing partners" no longer satisfies the written-consent requirement. Each seller has to get consent separately and specifically. Bought a list of numbers from a lead aggregator with claimed consent attached? You need to confirm the consent named your company. If it didn't, those numbers are off-limits.
Keep records of every consent: the timestamp, the IP address, the exact disclosure language shown, and the form field value. You want to reconstruct what a consumer saw and agreed to on any given date. Courts expect exactly that.
What are the required opt-out rules for SMS marketing?
Every marketing text program has to offer an opt-out, and when someone uses it, you have to honor it fast [2]. The industry standard, and what most SMS platforms enforce on their own, is to stop marketing messages within 10 business days of a STOP request. Immediate cessation is safer, and most platforms do it in real time.
Honor STOP, QUIT, CANCEL, END, and UNSUBSCRIBE as opt-out keywords at a minimum. One more marketing message after a STOP reply is its own TCPA violation. You can send a single confirmation text acknowledging the opt-out. That one message is allowed. No promotional content can ride along with it.
Here's a common way teams get burned. They suppress a number in the SMS platform but leave it active in a separate marketing database feeding a different campaign. If that number gets another text from your brand through the second system, you've violated the opt-out even though no person made a deliberate mistake. A centralized suppression list that syncs across every sending system is the only safe setup.
You also need opt-out instructions in the first message and periodically after that. Most platforms add a standard footer like "Reply STOP to opt out" automatically, which is fine. If yours doesn't, add it yourself.
How does the FCC's 2024 one-to-one consent rule change things for SMS marketers?
The FCC's December 2023 order (effective January 27, 2025) closed what the agency called the "lead generation loophole" [4]. Before the rule, a single online consent form could legally authorize dozens of marketing partners to contact a consumer. Check a box agreeing to offers from "our trusted partners" and you could get texts from companies you'd never heard of.
Under the new rule, marketing consent has to be one-to-one. The consumer must consent to messages from a specific named company, not a category of companies or a vague partner list. The FCC's order says the consent must be "logically and topically associated with the website" where it was collected, so a mortgage-quote site can't show a consent disclosure for unrelated auto dealers [4].
For most businesses running their own list, this changes nothing. You already get direct consent from people who sign up on your site or in your store. The impact lands on companies that bought or rented lists from lead aggregators, and on the lead generators themselves, who now have to rebuild their forms.
If you buy leads from any third party and text them, run the vendor's consent documentation through a compliance review before your next send. The risk of texting improperly consented numbers is clearer now than it has ever been. See text messaging marketing for a closer look at how lead-sourced lists interact with these rules.
What do the TCPA's calling hour restrictions mean for text messages?
The TCPA's rules restrict calls, including texts, to between 8 a.m. and 9 p.m. in the recipient's local time [3]. You have to know where your recipients are and send accordingly. A text blasted to a national list at 8 a.m. Eastern arrives at 5 a.m. Pacific, which breaks the rule for every West Coast recipient.
Most serious SMS platforms handle time-zone-aware sending on their own. If yours doesn't, either segment your list by time zone or set a conservative window (9 a.m. to 8 p.m. Eastern, which keeps you inside the 8-to-9 window for all continental US zones).
Sundays and holidays aren't exempt from the time limits, and they aren't separately restricted either. A text at 8:05 a.m. Sunday is legal. One at 7:55 a.m. is not. Whether Sunday-morning texting helps your brand is a different question, and usually the answer is no.
State law sometimes goes tighter. Florida's mini-TCPA (the Florida Telephone Solicitation Act, or FTSA) has been read to restrict certain texts to 8 a.m. to 8 p.m. and adds requirements beyond federal law. If you have Florida recipients, treat FTSA compliance as its own checklist item.
What should a compliant SMS marketing opt-in look like?
A compliant opt-in has five parts, and all five need to be present before the consumer submits a number.
First, the name of the company sending texts has to be clearly visible. "Sign up for texts from [Your Brand]" works. A generic "receive marketing messages" with no sender named does not.
Second, describe the message types. "Promotional offers, new arrivals, and exclusive discounts" gives enough specificity. You don't need an exhaustive list, but the consumer needs a fair idea of what they're agreeing to.
Third, state the anticipated frequency. "Message frequency varies" is acceptable if you genuinely don't know the cadence. "Up to 4 messages per month" is better.
Fourth, a statement that consent is not a condition of purchase [3]. The FCC's rules require it. "You do not need to provide consent to make a purchase" satisfies it.
Fifth, a note about standard rates: "Message and data rates may apply."
The opt-in should also link to your SMS terms and privacy policy. Some platforms build all of this into a standard disclosure block that drops in below any phone-number field, which is a reasonable approach. Read the exact language your platform uses. Don't assume it's compliant.
Paper opt-ins count too. A sign-up sheet in your store is valid written consent as long as it carries all five elements. Scan or photograph every paper opt-in and store it with a timestamp.
How much do text messaging marketing services cost, and what features matter for compliance?
SMS marketing platforms run from roughly $20 per month for basic plans to several thousand a month for enterprise tools with advanced segmentation, analytics, and API access [5]. Pricing usually follows one of three models: per-message fees (typically $0.01 to $0.05 per SMS), a monthly subscription with a message allotment, or a hybrid.
For compliance, the features that matter aren't the ones in the sales deck. What you actually need:
- Automatic opt-out handling that processes STOP keywords in real time and suppresses the number across every campaign
- A consent timestamp log that records when each subscriber opted in and what disclosure they saw
- Time-zone-aware sending that respects the 8 a.m. to 9 p.m. window per recipient
- A quiet-hours override that blocks sending outside legal hours even when a campaign is scheduled wrong
- Export capability so you can pull your full subscriber list, with consent metadata, if litigation ever hits
Well-known platforms include Twilio (API-focused, strong for developers), EZTexting, Klaviyo (strong e-commerce integration), SimpleTexting, and Podium. Each handles compliance differently. Before you sign with any of them, ask three questions directly: how does your system process STOP requests, what gets logged per subscriber, and can I export that data in a form usable as legal evidence?
If you're a small regional business, say a retailer shopping for a text service in Green Bay or a similar mid-size market, a mid-tier platform in the $50 to $150 per month range almost certainly has everything you need. Enterprise platforms rarely make sense below about 50,000 active subscribers.
| Platform Tier | Monthly Cost Range | Best For | Key Compliance Feature |
|---|---|---|---|
| Basic (e.g., EZTexting basic) | $20, $60 | < 500 contacts | Auto STOP processing |
| Mid-tier (e.g., SimpleTexting) | $60, $200 | 500 to 10K contacts | Consent logs, time-zone sending |
| Advanced (e.g., Klaviyo, Attentive) | $200, $1,500+ | 10K+ contacts, e-commerce | Full audit trail, list hygiene |
| Enterprise / API (e.g., Twilio) | Usage-based | Developer teams | Full control, requires own compliance layer |
LeadCompliant's free compliance checklist has the exact questions to ask any SMS platform before you sign, which can save you a painful vendor switch later.
What TCPA lawsuit risks should SMS marketers actually worry about?
The realistic threat model for a small-to-mid-size business running SMS has two scenarios.
First, the serial plaintiff. These are individuals, often working with small plaintiff-side TCPA firms, who deliberately sign up for marketing lists (sometimes using spoofed or ported cell numbers) and then sue over texts they claim they never properly consented to. Individual TCPA settlements run $500 to $2,000 per claim, and most small businesses settle rather than fight. The best defense is airtight consent records that kill the claim fast. Produce a timestamped, source-attributed opt-in record and most serial plaintiffs and their counsel move on.
Second, the class action. Rarer, and far more expensive. These usually start when a company blasts a purchased list, or when a platform bug sends messages to opted-out numbers. The Credit One TCPA settlement and the Cash App TCPA class action settlement show how these resolve: multimillion-dollar funds paid out to class members. The Truist Bank TCPA class action settlement is another data point. In every one, the core allegation was texting people who never consented or who had revoked consent.
Nobody has clean data on total annual TCPA litigation volume. The WebRecon index, which tracks federal TCPA filings, has shown SMS-related cases growing as a share of total filings since 2018. The best published figures suggest several thousand TCPA cases hit federal court each year [6].
Stay current on enforcement trends through tcpa news as the regulatory picture keeps shifting.
Does the national Do Not Call registry apply to text messages?
The national DNC registry, run by the FTC under 16 C.F.R. Part 310, applies to telephone solicitations, meaning outbound voice calls [7]. The FTC's Telemarketing Sales Rule does not directly cover texts. So technically a number on the DNC registry isn't automatically off-limits for texts under the TSR.
That exemption is narrower than it sounds. The TCPA's separate written-consent requirement for marketing texts is stricter than DNC compliance anyway. If you have proper prior express written consent, the DNC status of the number is mostly a non-issue for texts. If you don't have written consent, the fact that a number isn't on the DNC registry buys you nothing.
Some state laws go further. Florida's FTSA and Oklahoma's telephone solicitation statute cover texts explicitly, and in those states a DNC-registered number may well be off-limits for texts too. State rules are shifting fast. What's legal to text in Texas may not be legal to text to a Florida resident.
Practically: scrub your SMS list against the DNC registry anyway. Not because the TSR requires it for texts, but because DNC-registered numbers tend to belong to the most legally aware people, the ones most likely to file a complaint or a lawsuit over a text they didn't want. It's a cheap risk filter.
What are the best practices for running a safe and effective SMS marketing program?
A compliant SMS program and a high-performing one are mostly the same program. The practices that lower legal risk also improve subscriber experience and deliverability.
Start with double opt-in where you can. After a consumer submits a number, text them to reply YES to confirm. That produces a stronger consent record, filters out wrong numbers, and cuts complaints. Your list grows a little slower, but the list you keep is cleaner and more engaged.
Segment and send relevant messages. A subscriber who opted in for sale alerts and then gets six texts in a week about unrelated promotions feels spammed, complains, and opts out. High opt-out rates are more than a business problem. They're a signal that your consent disclosures may have oversold or undersold what people signed up for.
Run a real-time suppression list. Every opt-out, every number that generates a complaint, and every number your platform flags as a landline goes onto a suppression list that applies to all future campaigns, no matter which list the number came from.
Audit consent at least once a year. Walk your subscriber list and ask, for each contact: do I have a written consent record that meets the current FCC standard? Do I know the date, the source, and the disclosure language? If you picked up contacts more than four years ago without detailed logging, re-permission them (send an opt-in confirmation request) or drop them.
For teams building or auditing their SMS compliance stack, LeadCompliant offers a free TCPA compliance kit with consent record templates and a platform evaluation checklist, which covers the audit steps without a legal retainer for routine hygiene.
How do state laws add to the federal SMS marketing requirements?
Federal TCPA compliance is the floor, not the ceiling. Several states have passed statutes that add requirements to text marketing, and the trend runs toward more state regulation, not less.
Florida's Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059, was amended in 2021 and read broadly by some Florida courts to cover texts sent using technology that can dial numbers automatically, even when that tech isn't a traditional ATDS under federal law [8]. Florida caps solicitation hours at 8 a.m. to 8 p.m. local time, an hour tighter than the federal rule, and its damages provision allows $500 per violation. A wave of FTSA cases has moved through Florida courts.
Oklahoma's Stop Robocalls Act, passed in 2022, applies to texts and includes a private right of action.
California's Consumer Privacy Act (CCPA) doesn't regulate texting directly, but if you collect phone numbers from California residents, CCPA governs how you store, use, and share that data. A California resident's CCPA opt-out of data "selling" can interact with how you handle third-party lead data.
Washington, New York, and Texas all have statutes that can apply to commercial texts in certain situations. The safest move for any national SMS program is to build to the strictest applicable standard, which right now means designing your consent process to satisfy Florida's FTSA on top of federal TCPA rules. That combination covers most of the high-risk state exposure.
Frequently asked questions
Do I need written consent to send a promotional text message to an existing customer?
Yes. Under the TCPA's prior express written consent requirement, even existing customers must have specifically consented in writing to promotional texts. A prior purchase alone isn't enough for marketing messages, though it may support purely informational ones like order confirmations. The FCC's regulations at 47 C.F.R. § 64.1200 make that distinction explicit.
Can I text people who gave me their number on a paper form or in person?
Yes. Paper opt-ins are valid written consent under the TCPA as long as the form carries all required disclosures: the sender's name, message types, anticipated frequency, a statement that consent is not a condition of purchase, and a note about standard message rates. Scan and store every paper opt-in with a timestamp. Without a record, you can't defend against a complaint.
What happens if someone on my SMS list sends STOP but I text them again by accident?
Every text after a valid opt-out is a standalone TCPA violation, each carrying $500 to $1,500 in damages. If a system error or list-sync failure caused it, that mitigates willfulness slightly but doesn't erase liability. Fix the technical root cause immediately, confirm the number is suppressed across all active campaigns, and document what happened and how you fixed it.
How do text messaging marketing services protect me from TCPA violations?
A good SMS platform handles automatic STOP processing, time-zone-aware sending, and consent logging. But those tools only work on clean data. Import a purchased list without verifying consent and the platform can't save you. Compliance starts with your data sourcing and consent collection, not with the platform's built-in features.
Is there a difference between SMS marketing and MMS marketing under the TCPA?
No material difference. The FCC treats both SMS and MMS as "calls" under the TCPA, and the same prior express written consent requirement applies to both. MMS messages with images, audio, or video don't get treated differently for carrying richer content. The same consent, opt-out, and time-restriction rules apply to each.
Can I send text messages to a purchased list if the list vendor claims they have consent?
After the FCC's January 2025 one-to-one consent rule, vendor-claimed consent is very likely insufficient for you. The consent has to name your company specifically. A list aggregator's blanket consent form almost certainly doesn't meet that standard. Before texting any purchased list, get the exact consent disclosure language from the vendor and have a lawyer confirm it meets the current FCC standard.
What is the TCPA statute of limitations for SMS marketing violations?
The TCPA carries a four-year federal statute of limitations, drawn from 28 U.S.C. § 1658 and confirmed by most federal courts. Some state-law claims may run on different periods. So keep consent records, opt-out logs, and platform data for at least four years from the date of any send campaign.
Are appointment reminders and transactional texts exempt from TCPA written consent rules?
Purely informational messages, like appointment reminders with no promotional content, can qualify for the lower prior express consent standard rather than the stricter written consent rule. But the moment a reminder adds an offer, an upsell, or promotional language, it likely becomes a marketing message and needs full written consent. Keep informational and promotional texts strictly separate.
What is the FCC's one-to-one consent rule and when did it take effect?
The FCC issued a rule in December 2023 requiring that written consent for marketing texts name the specific company sending them, closing the loophole that let one consent form authorize multiple marketing partners. It took effect January 27, 2025. The rule mainly affects businesses that buy leads from aggregators or share consent lists with third parties.
Can a small local business like a shop in Green Bay use text message marketing legally?
Yes, and small local businesses often see strong SMS results because they have real relationships with their customers. The legal requirements don't change with size: get written consent, honor opt-outs immediately, send only during allowed hours, and keep records. A mid-tier SMS service in the $50 to $150 per month range gives a local business everything it needs to run a compliant program.
What is the difference between a TCPA violation and a CAN-SPAM violation for text marketing?
CAN-SPAM covers commercial email and doesn't apply directly to SMS. TCPA covers texts. The practical difference is enforcement. CAN-SPAM violations are pursued by the FTC and don't support private lawsuits. TCPA violations can be brought by any recipient, which makes SMS compliance far more consequential. A CAN-SPAM violation might draw an FTC warning. A TCPA violation can draw a class action.
How often can I legally text my subscribers?
The TCPA sets no specific frequency cap, but your consent disclosure has to reflect anticipated frequency honestly. If your form said "up to 4 messages per month" and you send 20, you've misrepresented the consent terms and weakened your defense. Frequency should match what subscribers agreed to. High frequency also drives up opt-outs, which piles onto your suppression management.
What records should I keep to defend against a TCPA claim about a text message?
Keep the consent record (timestamp, IP address, phone number, and the exact disclosure language shown), the opt-in source URL or form identifier, any opt-out requests and when you processed them, and the send log showing when each text reached each number. You want to show a court or plaintiff's counsel, within hours of a claim, exactly what consent you have and when it was given.
Does the national Do Not Call registry apply to text messages?
The FTC's DNC registry and the Telemarketing Sales Rule apply to outbound voice calls, not texts. Texts are governed by the TCPA's separate written consent requirement, which is stricter than DNC rules for marketing. Some state laws explicitly extend DNC-style protections to texts, and Florida's FTSA is the most prominent current example.
Sources
- U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed calls including texts to cell phones without prior express consent; statutory damages are $500 per violation, $1,500 for willful violations
- FCC, 47 C.F.R. § 64.1200, Rules and Regulations Implementing the TCPA: Written consent must identify the seller, describe message types, and include statement that consent is not a condition of purchase; texts restricted to 8am–9pm local time
- FTC, Complying with the Telemarketing Sales Rule: FTC Telemarketing Sales Rule applies to outbound voice calls; overview of DNC registry requirements that intersect with marketing compliance
- WebRecon LLC, TCPA Lawsuit Statistics (annual index): WebRecon tracks federal TCPA filing volume; SMS-related cases have grown as a share of total TCPA filings since 2018
- FTC, National Do Not Call Registry, 16 C.F.R. Part 310: National DNC registry and TSR apply to telephone solicitations (voice calls); DNC registry does not directly prohibit text messages under federal TSR
- Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059: Florida FTSA covers texts sent using automated systems, restricts hours to 8am–8pm local time, and includes a $500 per violation private right of action
- FCC Consumer Complaint Center: FCC guidance confirming opt-out mechanisms and consumer rights to revoke consent for commercial texts
- Salesforce, State of Marketing Report 2024: SMS open rates cited widely in marketing research at approximately 98%, compared to roughly 20% for email marketing
- Cornell Legal Information Institute, 28 U.S.C. § 1658, Time limitations on civil actions: Federal four-year statute of limitations applies to TCPA claims absent a specific statutory limitations period