Last updated 2026-07-10

TL;DR
Twilio requires documented prior express written consent before you send any marketing SMS. Federal law (47 U.S.C. § 227) backs that with fines up to $1,500 per willful text. You need three things on file: a clear opt-in disclosure, a record of when and how someone opted in, and a working opt-out. No consent, no send. Twilio will not check your consent for you.
What does Twilio actually require for SMS opt-in?
Twilio requires explicit consent, a saved record of that consent, an opt-in disclosure tied to your specific program, and a working STOP mechanism. All of it before your first message leaves the platform. Twilio's Messaging Policy says senders must obtain "consent from the recipient prior to sending any messages."
That means you cannot buy a list, scrape contacts, or assume consent because someone handed you their number for something else. The consent has to be specific to receiving SMS from your program.
Twilio also makes you keep proof. They call these "opt-in records," and their carrier partners can ask for them during audits or after a spam complaint. Can't produce the record? You can lose your messaging on the platform. [1]
There's a second checkpoint at registration. Before you can send application-to-person (A2P) 10DLC traffic in the United States, you have to register your brand and campaigns. Part of that registration asks you to describe your opt-in flow and hand over a sample opt-in message or a link to your web form. Campaigns that don't pass 10DLC registration simply don't send. [2]
What does federal law (TCPA) require for SMS opt-in?
Federal law requires "prior express written consent" before you send a marketing text to a cell phone. That's a signed, written agreement that clearly authorizes the sender to deliver ads or telemarketing using an autodialer or prerecorded voice. The rule lives in the Telephone Consumer Protection Act at 47 U.S.C. § 227, with the consent standard spelled out in the FCC's regulations at 47 C.F.R. § 64.1200. [3][8]
"Written" includes electronic records. A checkbox on a web form, a keyword opt-in via SMS (texting JOIN to a short code), or a signed paper form all count, as long as the disclosure language is there and the consumer took an affirmative action.
The disclosure has to say four things under the FCC's 2012 rules. One, consent is not a condition of purchase. Two, the consumer may receive autodialed or prerecorded calls or texts. Three, they consent to a specific program or sender. Four, they can revoke consent at any time. The FCC's one-to-one consent order, effective January 27, 2025, tightened this further by requiring consent to name a single seller instead of a generic pile of lead buyers. [4]
Transactional messages (order confirmations, appointment reminders with no marketing) sit at a lower bar: prior express consent, not written. The line between transactional and promotional is blurry enough that most practitioners treat everything like it needs written consent. That's what I'd do.
The penalties are real. Negligent violations run $500 per message. Willful or knowing violations run up to $1,500 per message. [3] There's no cap on the number of violations in a single suit, which is exactly why TCPA class actions get expensive so fast.
What is the difference between single opt-in and double opt-in for Twilio SMS?
Single opt-in is when a user submits their number and you start sending. Double opt-in adds a step: you send a first message asking them to reply YES or CONFIRM before you add them to your list. The TCPA does not require double opt-in. Single opt-in satisfies the law if your disclosure is correct and you keep the record.
Twilio doesn't technically mandate double opt-in either, though some carrier partners require it for use cases like sweepstakes or financial services.
Double opt-in is still the better move, for two reasons. It creates a second timestamp and a confirmed reply in your message logs, which is strong evidence if you get sued or audited. It also filters out mistyped numbers and junk submissions, which drops your spam complaint rate. Lower complaints keep your 10DLC trust scores healthy, and that protects your throughput with Twilio's carrier aggregators. [5]
Drop-off at the confirmation step usually runs 10 to 30 percent. The people who stay are the ones who actually want to hear from you. Nobody has published a clean industry-wide study on this. The ranges come from aggregator guidance and platform reporting, so read them as rough benchmarks, not gospel.
Want the mechanics? The sms double opt in process is worth reading before you build your flow.
How do you build a compliant Twilio SMS opt-in flow?
Put the consent language at the opt-in point itself, before or at the moment the user submits their number. Not buried in a privacy policy. Not three screens down. Right there next to the field. This holds whether the capture is a web form, a landing page, a keyword campaign, or a point-of-sale terminal.
The disclosure should read something like: "By submitting this form, you agree to receive recurring automated marketing text messages from [Company Name] at the number provided. Consent is not a condition of purchase. Message and data rates may apply. Reply STOP to unsubscribe."
After they opt in, your first message confirms the subscription. Twilio's messaging guidelines say the first message should carry the program name, message frequency, a data-rates reference, and STOP/HELP instructions. [1] Something like: "[Brand]: You're now opted in to our deal alerts. Msg frequency varies. Msg & data rates may apply. Reply STOP to cancel, HELP for help."
Keep these fields in your record: the subscriber's phone number, the consent timestamp, the source URL or keyword they used, the IP address if it was a web form, and a copy of the disclosure they saw at the time. Store it somewhere you can pull fast. If a TCPA demand letter lands, you have roughly 30 days before litigation, and you need that record in hand.
For the sms opt-in form itself, a dedicated guide covers what the form must say and how to structure the confirmation.
On the Twilio side, you also register a 10DLC campaign that matches your opt-in use case. The campaign description you submit has to line up with what your form actually says. Mismatches between the registered description and your real messaging are one of the most common reasons campaigns get flagged. [2]
What opt-in records does Twilio require you to keep?
Twilio requires records that show consent, and its trust and safety team plus the downstream carriers (AT&T, Verizon, T-Mobile) can pull audit requests, usually after a spam complaint. Can't show the opt-in record for a complained-about number? That's grounds for campaign suspension. [1]
The records Twilio and carriers want to see:
- The opt-in timestamp and method (web form URL, SMS keyword, voice recording)
- The exact disclosure language shown at opt-in
- The subscriber's phone number, plus the confirmation message if you used double opt-in
- Any opt-out requests and timestamps (STOP replies must be honored within a reasonable time under the FCC's rules; the 2024 order set a 10 business day ceiling) [4]
How long to keep them? The TCPA's federal statute of limitations is 4 years, and some state analogs run longer. Keep your opt-in records at least 4 years from the last message you sent to that number.
If you're using Twilio Engage or a CRM integration, map exactly where opt-in data lives. Teams discover during audits that consent data sits in one system, message logs sit in Twilio, and the form disclosure language was never saved anywhere. That gap is a real liability.
How does Twilio 10DLC registration connect to opt-in compliance?
10DLC (10-digit long code) is the U.S. carrier system for vetting A2P business texting, and it ties directly to your opt-in. Every business sending commercial SMS through a local 10-digit number via Twilio has to register its brand and its campaigns through The Campaign Registry (TCR). [2]
When you register a campaign, TCR and the carriers review your use case, your opt-in description, and your sample messages. If your opt-in description says "users opt in on our website" but your messages read like cold outbound, that's a red flag that gets a campaign rejected or a number flagged.
The categories under the hardest scrutiny are consumer lending, debt collection, real estate solicitation, and political messaging. These need extra documentation of your opt-in process. Some carriers reserve the right to reject entire categories regardless of registration.
Throughput limits ride on campaign trust scores, which depend partly on your complaint rate. A high complaint rate can throttle or disable your campaign. T-Mobile's threshold sits around 0.2 percent of messages generating spam reports. Keeping opt-in records isn't only a legal requirement. It's the operational base for staying on the carriers' good side. [6]
For the full registration workflow on the compliance side, twilio tcpa compliance covers 10DLC specifically.
What opt-out rules apply to Twilio SMS programs?
Once a consumer revokes consent, you stop sending marketing messages. The FCC's 2023 revocation order, effective April 11, 2024, says opt-out must be honored within 10 business days and that any "reasonable" method the consumer uses has to be respected, not only STOP replies. [4]
Twilio handles STOP automatically for most configurations. When a recipient texts STOP, Twilio blocks further outbound messages to that number and sends a default opt-out confirmation, which you can customize within limits.
Here's the part teams miss. Check that your CRM or backend is actually pulling those opt-out records from Twilio and suppressing the numbers on future sends. Plenty of teams assume Twilio handles it end to end. But if your campaign tool re-imports a list without checking Twilio's opt-out log, you can text a number that already opted out. That's a violation. [1]
Twilio also recognizes UNSUBSCRIBE, CANCEL, END, and QUIT for opt-out. HELP returns your help message. Make sure your first message spells out both help and opt-out, because carriers check for it during audits.
Re-engagement has one clean path. You generally cannot text a number on your opt-out list to ask if they want back in. That message is itself unsolicited. The only clean route is a fresh opt-in through your website or another channel.
Can you use purchased lists or scraped data for Twilio SMS campaigns?
No. Full stop.
Purchased lists almost never carry valid prior express written consent that meets the TCPA. Whatever consent was collected (if any) was for some other company's messaging, not yours. The FCC's one-to-one consent rule, effective January 27, 2025, makes this plain: consent must name the specific seller or sender. A generic opt-in to "marketing partners" on a sweepstakes form does not create valid consent for your SMS program. [4]
Sending to a purchased list through Twilio also breaks Twilio's own Acceptable Use Policy, which bars sending to recipients who haven't explicitly opted in to hear from you. Get caught and you risk account termination, more than campaign suspension. [1]
Scraped numbers carry the same defect. Someone posting a number on a website or LinkedIn didn't consent to automated marketing texts from you. Stopping exactly that kind of outreach is what the TCPA is for.
Buying leads from a vendor? You need to see the vendor's consent documentation for each phone number, in writing, naming your company or meeting the one-to-one standard. This is harder than it sounds, and most lead vendors can't actually produce compliant documentation. For more, lead generation compliance news tracks the litigation patterns around purchased lists.
What are the real costs of getting Twilio SMS opt-in wrong?
The TCPA penalty is $500 per message for negligent violations and up to $1,500 per message for willful ones. [3] Send 10,000 texts without proper consent, let a class action get certified, and the math turns brutal. Real settlements tell you more than theoretical maximums.
Publicly filed TCPA text settlements have hit tens of millions for mid-size companies. Papa John's settled a TCPA text case for $16.5 million in 2013. Jiffy Lube settled for $47 million in 2015. Both involved big sending volumes without proper consent documentation. [7]
There's a second cost beyond court. Twilio can suspend your campaigns or terminate your account for policy violations. Lose your phone infrastructure mid-quarter and that's its own kind of damage to a sales operation.
Getting it right costs almost nothing by comparison. A proper opt-in form, a consent logging system, and a suppression process take a developer a few days, or you can use a platform that handles it. That's a rounding error next to a settlement. tcpa sms compliance breaks down what a minimum viable compliance program looks like for small teams.
LeadCompliant's free TCPA tools and compliance kit cover the opt-in checklist and consent language templates if you want a starting point without paying outside counsel for the basics.
How does Twilio SMS opt-in work for different industries?
The core consent requirements are identical across industries. Some sectors just draw extra scrutiny from Twilio's carriers and from federal regulators, and the documentation bar rises with the risk.
Real estate: Agents and brokers texting leads from Zillow and similar sites are among the highest-volume TCPA defendants right now. A lead submitting info online doesn't mean they consented to automated texts from your brokerage. The real estate text message marketing guide covers the specific traps. Any real estate SMS on Twilio needs the opt-in at your firm's own capture point, with your firm's name in the disclosure.
Restaurants: Text loyalty programs fit restaurants well and pair nicely with Twilio keyword campaigns (text PIZZA to 12345). Consent capture usually happens at the counter or on a receipt. The sample text message marketing for restaurants article has compliant disclosure examples for that setting.
B2B: Business-to-business SMS sits in a grayer zone. The TCPA covers any cell phone number, and most businesspeople get texts on personal cells. The FCC hasn't carved out a formal B2B exemption. Some courts have been softer on B2B claims, but assuming you're exempt is not safe. For cross-border issues, b2b lead generation platforms gdpr compliance covers the GDPR layer.
Financial services and healthcare: These face the strictest carrier scrutiny at 10DLC registration and often require added documentation of consent sources. HIPAA piles a separate overlay onto healthcare messaging that Twilio's standard opt-in framework doesn't cover on its own.
| Industry | Typical opt-in method | Extra scrutiny? |
|---|---|---|
| Retail / e-commerce | Web form, checkout checkbox | Low to medium |
| Real estate | Lead form with named brokerage | High |
| Financial services | Signed agreement or web form | High |
| Healthcare | Written consent + HIPAA BAA | Very high |
| Restaurant / hospitality | Keyword or receipt capture | Low |
| B2B sales | Web form or event capture | Medium |
What should your Twilio SMS opt-in confirmation message say?
The first message a new subscriber gets carries a lot of compliance weight. Twilio's guidelines and carrier requirements both expect it to name your brand, describe what they signed up for, state message frequency, note data rates, and give STOP and HELP instructions. [1]
A compliant confirmation message typically includes:
- Your brand name (so recipients know exactly who is texting)
- What they signed up for ("deal alerts," "appointment reminders," "order updates")
- Message frequency ("up to 4 messages per month" or "msg frequency varies")
- A data-rates line ("Msg & data rates may apply")
- Clear opt-out instructions ("Reply STOP to cancel")
- A HELP instruction ("Reply HELP for help")
Example: "[YourBrand]: Thanks for signing up for our weekly deal texts. Msg frequency: up to 4/month. Msg & data rates may apply. Reply STOP to cancel, HELP for help."
Send it from the same number your ongoing messages will use. Switching numbers after opt-in confuses people and triggers opt-outs. Toll-free opt-in, toll-free confirmation. 10DLC opt-in, 10DLC confirmation.
Keep it short. Long first messages look like spam and trip carrier filters. The disclosures fit comfortably in one or two SMS segments. opt-in sms marketing has more on the full sequence after opt-in.
How do you handle Twilio SMS opt-in for keyword campaigns?
Keyword campaigns (someone texts a word like JOIN or YES to your number) are one of the cleanest opt-in methods for documentation. The subscriber starts the contact, and Twilio logs the inbound message with a timestamp. That record is strong evidence of consent.
To run one compliantly, advertise the keyword with proper disclosures wherever you promote it. If your storefront sign says "Text DEALS to 555-0100 for coupons," that sign (or its digital version) should also say "Msg & data rates may apply. Reply STOP to unsubscribe." The FCC's rules expect the call-to-action to carry basic opt-out and data-rate information, not only the confirmation message. [3]
On Twilio, you configure a Messaging Service or a specific number to listen for inbound keywords and fire an auto-response. Twilio Studio or a simple webhook handles this. The auto-response is your opt-in confirmation and should carry every element from the section above.
Want confirmation before you add someone (double opt-in)? Set the auto-response to say "Reply YES to confirm your subscription to [Program Name]." Twilio then logs the YES reply as a second consent record, which is genuinely useful in a dispute.
Keyword campaigns also handle opt-outs by category. If someone texts NOSTYLE but wants to keep shipping updates, you can segment opt-outs by topic instead of removing them from everything. It takes more list management and it reduces churn. The sms opt-in overview goes deeper on segmentation.
Frequently asked questions
Does Twilio automatically enforce TCPA opt-in rules for me?
No. Twilio provides the infrastructure and enforces its own Acceptable Use Policy, but it does not verify that each recipient consented to your messages. Consent collection, storage, and suppression are your job as the sender. Twilio honors STOP replies automatically, but it cannot know whether your opt-in disclosures were legally adequate. You own the compliance process end to end.
What happens if someone complains about my Twilio SMS messages?
If a recipient reports your message as spam through their carrier, that complaint reaches Twilio via the carrier network. High complaint rates trigger a campaign audit, throughput throttling, or suspension. Twilio may ask you to produce opt-in records. If you can't, your campaign risks termination, and repeat violations can suspend your whole account. Separately, the recipient can file an FCC complaint or a private TCPA lawsuit.
Can I send Twilio SMS to people who gave me their number on a paper form?
Yes, if the paper form carried proper TCPA disclosure language and you can document what it said and when they signed. Paper consent is valid under the written consent standard. The hard part is retention: you need a scanned copy of the completed form or a digital log entry. A paper form with no disclosure language creates no valid consent, even if the person handed you the number willingly.
Is there a specific Twilio opt-in message template I should use?
Twilio doesn't mandate exact wording, but a compliant template reads: "[Brand]: You're subscribed to [Program]. Msg frequency varies. Msg & data rates may apply. Reply STOP to cancel, HELP for help." Swap in your brand name and program. The non-negotiable elements are brand identification, program description, frequency disclosure, data-rates notice, STOP instructions, and HELP instructions. Keep it under 160 characters when you can.
What is the FCC's one-to-one consent rule and how does it affect Twilio SMS programs?
The FCC's one-to-one consent rule, effective January 27, 2025, requires prior express written consent to be specific to a single named seller. A blanket consent to "marketing partners" on a third-party lead form no longer satisfies the standard. If you buy leads, the consent must identify your company by name. If you collect your own opt-ins, your disclosure must name your company, not a parent brand or a vague program label.
How long do I need to keep Twilio SMS opt-in records?
The TCPA's federal statute of limitations is 4 years. Some state-level claims run 3 years. Keep opt-in records, including timestamps, source URLs, IP addresses, and the disclosure language shown at consent, for at least 4 years from the date of the last message sent to that number. If a subscriber opts out and you never message them again, the clock starts on the opt-out date.
Do I need opt-in consent for Twilio transactional SMS like order confirmations?
Transactional messages (order confirmations, shipping updates, appointment reminders with no promotional content) require prior express consent, a lower bar than written consent. In practice, giving your phone number during a transaction and getting a confirmation is usually treated as implied consent for that transaction. As soon as you add promotional content, the standard jumps to written consent. The line blurs fast, so most teams use the full written standard for everything.
Can I re-send to someone who previously opted out if they visit my website again?
Only if they complete a fresh opt-in on your website with the required consent disclosure. Visiting the site alone creates no consent. If they submit a new form with proper disclosure language, that's a new opt-in record and you can resume sending. You cannot read page views, email opens, or purchases as re-consent to SMS. The opt-out has to be actively reversed by the consumer through an explicit act.
What is Twilio's 10DLC and why does it affect my opt-in process?
10DLC is the carrier-level registration system for business SMS in the U.S. Before sending A2P messages through 10-digit local numbers on Twilio, you must register your brand and campaigns through The Campaign Registry. Registration requires a description of your opt-in method and sample messages. Unregistered campaigns get filtered or blocked by major carriers. Mismatches between your registered opt-in description and your real practice can get campaigns rejected or flagged during audits.
How does Twilio handle opt-out (STOP) requests, and what do I need to do on my end?
Twilio automatically blocks outbound messages to numbers that replied STOP and sends a default opt-out confirmation you can customize. Your job is syncing those opt-outs with your CRM or sending platform so the numbers stay suppressed. Twilio's opt-out list lives in its system. If your campaign tool re-imports a list without checking against that list, you can text opted-out numbers. That sync is on you.
Are there industries where Twilio SMS opt-in requirements are stricter?
Yes. Financial services, healthcare, real estate solicitation, and political messaging draw the most scrutiny from Twilio's carrier partners during 10DLC registration. Healthcare adds HIPAA obligations on top of TCPA. Financial services campaigns often need extra documentation of consent sources. Some carriers reserve the right to reject high-risk categories regardless of registration. The core consent standard is the same, but the documentation requirements and carrier tolerance are tighter.
What's the difference between a short code and a 10DLC number for opt-in compliance?
Short codes (5 or 6 digit numbers) go through a separate provisioning process with a more rigorous application that includes opt-in flow documentation. They carry higher throughput and often run high-volume marketing. 10DLC uses regular 10-digit numbers and requires brand and campaign registration through TCR. Toll-free numbers have their own verification. The TCPA consent requirements are the same across all three, but the carrier vetting varies in depth.
Can a sales rep text someone from Twilio without going through a formal opt-in process?
It depends on whether the person gave the rep their number and invited a response. A business card handed over at a trade show is generally not express written consent to receive automated marketing texts. If the rep uses Twilio in a way that counts as an automatic telephone dialing system, the TCPA applies. Individual conversational texts sent manually, not through automation, carry less regulatory risk, but the ATDS definition is still being litigated.
Sources
- Twilio, Messaging Policy: Twilio requires senders to obtain consent from recipients prior to sending messages and to maintain opt-in records.
- The Campaign Registry (TCR): U.S. A2P 10DLC senders must register brand and campaign information, including opt-in flow descriptions, through The Campaign Registry before sending.
- FCC, 47 U.S.C. § 227 (TCPA) via govinfo.gov: The TCPA imposes $500 per violation and up to $1,500 for willful violations; prior express written consent is required for marketing texts to cell phones.
- The Campaign Registry, TCR Platform: Campaign trust scores and carrier complaint thresholds (T-Mobile approximately 0.2 percent) affect message throughput for 10DLC campaigns.
- ABA Journal, TCPA class action settlement coverage: Papa John's settled a TCPA text message class action for $16.5 million (2013); Jiffy Lube settled for $47 million (2015), illustrating real litigation exposure for mass SMS senders.
- FCC, 47 C.F.R. § 64.1200 (implementing regulations) via eCFR: FCC implementing regulations define prior express written consent requirements for autodialed or prerecorded marketing calls and texts to cell phones.
- FCC, consumer guides on unwanted calls and texts: FCC confirms consumers can revoke consent at any time through any reasonable means, including texting STOP.
- Federal Trade Commission, business guidance on telemarketing: Federal telemarketing rules require documented consent and honoring of opt-out requests for commercial outreach.