Twilio TCPA compliance: what you actually need to do

Using Twilio for calls or texts doesn't move TCPA liability to them. Here's what consent, opt-out, and DNC scrubbing rules apply to you as the sender.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-09

Compliance professional reviewing documents at a standing desk, morning office light
Compliance professional reviewing documents at a standing desk, morning office light

TL;DR

Twilio is a communications platform, not a compliance shield. Under 47 U.S.C. § 227, TCPA liability falls on the party that initiates the call or text, which is you, not Twilio. You need prior express written consent before marketing messages, a working opt-out mechanism, and DNC scrubbing before every campaign. Twilio provides the pipes. Compliance is your problem.

Does using Twilio protect you from TCPA liability?

No. Full stop.

Twilio routes your messages and calls. It does not review your recipient lists, verify that you have consent, or scrub numbers against the National Do Not Call Registry. Twilio's terms of service require customers to comply with all applicable laws, including the TCPA [1]. If the FCC or a plaintiff's attorney comes looking, they are coming for you.

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, defines liability around the party that "initiates" a call or text message. Courts have consistently found that the brand or business directing the message is the initiating party, even when a third-party platform delivers it [2]. Twilio's role as a downstream carrier does not insulate you from a class action or an FCC enforcement action.

This matters in practice more than people expect. Businesses assume that using a big, reputable platform means they are covered. They are not. The FCC's 2023 one-to-one consent changes, effective in 2025, made the point sharper: consent has to go to the seller contacting the consumer, not to a platform or an aggregator [3].

What does the TCPA actually require when you send messages through Twilio?

The TCPA has three compliance lanes, and which one you are in depends on what you send and how.

Autodialed or prerecorded calls and texts to cell phones. Under 47 U.S.C. § 227(b)(1)(A), you cannot use an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to call a cell phone without prior express consent. For marketing, the FCC requires prior express written consent, meaning a signed, clearly written agreement that specifically authorizes you to send that person marketing content [4]. Twilio's programmable messaging and voice APIs can qualify as an ATDS depending on how your application generates numbers or manages call queues. That is a fact-intensive legal question your counsel should answer.

Texts to cell phones. The same ATDS analysis applies to SMS. If your Twilio integration pulls from a contact list and sends automatically, courts may treat that as an ATDS. The Ninth Circuit in Marks v. Crunch San Diego (2018) expanded the definition in some circuits to include any system able to dial automatically from a stored list [12]. The Supreme Court narrowed it in Facebook v. Duguid (2021), holding that an ATDS must have the capacity to use a random or sequential number generator [5]. Even under that narrower standard, plenty of Twilio use cases still qualify.

Calls to residential landlines. Marketing calls to home phones using a prerecorded message require prior express written consent. Informational calls require only prior express consent, which can be oral.

The time-of-day rule. Consent or not, 47 C.F.R. § 64.1200(c) prohibits calls before 8 a.m. or after 9 p.m. in the recipient's local time zone [4]. Twilio will deliver your message at 2 a.m. if you tell it to. It will not stop you.

The FCC's December 2023 Report and Order (FCC 23-107) hit lead generation and multi-sender SMS campaigns hardest [3]. Before 2025, a consumer could give consent on a single web form to an entire marketing network, and that blanket consent counted for every company in it. That is over.

The rule requires consent to go to one seller at a time. The consumer has to see your business name and authorize your communications specifically. If you are a lender, an insurance agency, or any business buying leads from a generator who collected consent for "up to 50 partners," that consent no longer covers your Twilio campaigns.

So if you send Twilio messages to a list from a third-party lead vendor, every record needs consent that names your company. Most teams will need to rebuild their lead intake flows, their consent capture pages, and their record-keeping. The FCC set a January 27, 2025 compliance date, though litigation over the effective date left some uncertainty into mid-2025 [3].

For how consent should flow from the first touchpoint, see our guide on text message marketing.

TCPA by the numbers: key thresholds for Twilio senders Statutory damages, time rules, and scrubbing frequency from federal law 500 Statutory damages per negli… violation 1,500 Statutory damages per willf… violation 31 DNC scrubbing required every (days) 4 TCPA statute of limitations (years) Source: 47 U.S.C. § 227 and 16 C.F.R. § 310.4(b)

What opt-out requirements apply to Twilio SMS campaigns?

Every marketing text program has to give recipients a clear, conspicuous, and free way to opt out under 47 C.F.R. § 64.1200 [4]. For SMS, CTIA guidelines (which carriers enforce through Twilio's acceptable use policies) say you honor STOP, UNSUBSCRIBE, CANCEL, END, and QUIT, generally within a short window, though immediate processing is the practical standard [6].

Twilio has built-in opt-out handling through its Messaging Services feature. Enable it and Twilio catches STOP replies and flags the number. But flagging is not removing. You are responsible for pushing that opt-out into your CRM, your dialer queue, and anything else that touches the number. Twilio's opt-out flag lives in Twilio. Your database is separate. These two systems drift out of sync constantly, and that gap is where TCPA violations happen.

The stakes are real. TCPA statutory damages run $500 per negligent violation and up to $1,500 per willful violation [2]. One campaign to 10,000 people who already texted STOP could expose you to $5 million in statutory damages before any multiplier. The UnitedHealthcare $2.5M settlement and the Albertsons/Safeway TCPA settlement show how fast the numbers scale for large senders.

Build a suppression list that lives in your own system, more than in Twilio. Every opt-out, every STOP reply, every manual unsubscribe feeds that list. Every send pulls from it first.

Does Twilio scrub numbers against the National DNC Registry?

No. Twilio does not scrub numbers against the National Do Not Call Registry for you [1]. That is entirely your job.

The FTC's National DNC Registry covers residential numbers that registered to opt out of telemarketing calls. Under 16 C.F.R. § 310.4(b), telemarketers must access the registry at least every 31 days and honor registrations within 30 days of the consumer's registration date [7]. Most states also run their own DNC lists, and some are stricter than the federal one.

For SMS, the registry's application is less settled than for voice, but plaintiffs' attorneys routinely argue that marketing texts to registered numbers violate the TCPA. The FTC treats texts as functionally equivalent to calls for DNC purposes [10].

Here is the right order. Pull your outbound list. Run it against the federal DNC registry (a paid subscription is required for lists over 5 numbers [7]), then applicable state DNC lists, then your internal suppression list. Load the clean remainder into Twilio. Not the reverse. Do this scrubbing within 31 days of each send, not once at list acquisition.

For suppression mechanics from your own operations side, our guide on how to stop robocalls goes deeper.

What records do you need to keep to defend a TCPA claim?

Good records will not stop a lawsuit. They are often the difference between a quick dismissal and a seven-figure settlement.

For every contact, you should be able to produce the date and time consent was given, the exact language of the disclosure the consumer agreed to, the IP address or signature tied to that consent, the URL or physical location where you captured it, and proof the consumer saw and acknowledged the required disclosures. For written consent, the FCC's 2012 rules require a signed written agreement [8].

For Twilio, also keep the message SID for every outbound message (Twilio's unique message identifier), delivery status logs, opt-out event logs from Twilio's webhook data, and your own suppression list with timestamps. Twilio's logs are not permanent. Message logs are retained for about 13 months in most configurations, and metadata retention varies by account type [1]. Do not treat Twilio as your record-keeping system.

The statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658, so your records need to survive four years from the last message in a campaign [9]. Keep consent records longer, because plaintiffs sometimes argue continuing violations.

In contested cases like Credit One's TCPA settlement and the Truist Bank TCPA class action, missing or unreliable consent records left the company without a real defense.

Is Twilio's programmable messaging considered an ATDS under the TCPA?

This is the most contested technical question in Twilio TCPA compliance, and the honest answer is that it depends on how you use it, and courts are still split.

The Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid held that an ATDS must use a random or sequential number generator, either to store or to produce telephone numbers to be called [5]. The majority wrote that to qualify as an ATDS, "a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator." That tracks the statute's own definition at 47 U.S.C. § 227(a)(1).

Under that standard, a Twilio application that dials from a pre-uploaded contact list, with no random or sequential generation, may not qualify as an ATDS. But some courts read the "capacity" language broadly, and certain predictive dialing or queue management functions can still qualify. If your Twilio application has dynamic number generation, predictive dialing, or pulls numbers algorithmically, the analysis gets harder.

What most TCPA practitioners tell clients: treat your Twilio setup as if it is an ATDS and get consent accordingly. The cost of getting consent is small. The cost of being wrong is catastrophic. This is doubly true for marketing, where the consent standard (prior express written consent) is the same whether or not an ATDS is technically in play.

What does Twilio require from you in its own acceptable use policy?

Twilio's Acceptable Use Policy is a contract requirement, not a regulatory one, but breaking it can suspend your account and strand your business mid-campaign [1].

The AUP prohibits unsolicited messages, requires that you comply with all applicable laws (including the TCPA, CAN-SPAM, and CASL where relevant), and requires opt-out mechanisms in SMS campaigns. Twilio also requires that short code and toll-free campaigns get registered and approved through carrier vetting. 10DLC (10-digit long code) numbers used for application-to-person messaging in the US must be registered through The Campaign Registry, which Twilio integrates with [6].

10DLC registration is not optional. Carriers have filtered and blocked unregistered traffic since 2021, and Twilio will not route A2P messages from unregistered numbers. Registration asks you to identify your brand, your campaign use case, your message content, and to confirm TCPA compliance. It does not verify your compliance. It records your assertions. The liability stays yours.

Twilio also watches traffic for spam signals and can suspend accounts showing unusual volume, high opt-out rates, or other red flags. A suspension in the middle of a send is its own operational crisis, separate from any legal exposure.

What are the biggest TCPA mistakes Twilio users make?

A handful of failure patterns show up again and again in enforcement actions and civil suits.

Using old lists without re-consent. A list valid for one campaign is not automatically valid for the next, especially after the one-to-one consent rule. Lists decay. People change numbers. Running a two-year-old list through Twilio without re-verification is one of the fastest ways to stack up violations.

Treating Twilio's opt-out as your suppression list. Twilio catches STOP replies inside its own system. Your CRM does not update on its own. Teams that skip a two-way sync between Twilio opt-out events and their internal suppression list will eventually text someone who already opted out. That is a willful violation, and willful violations carry $1,500 per message [2].

Skipping time-zone checks. Twilio sends whenever you schedule. A 9 a.m. Eastern blast to a national list hits California at 6 a.m. The 8 a.m. to 9 p.m. local-time rule applies to every recipient individually [4].

Not registering 10DLC before sending. Unregistered traffic gets filtered at the carrier level. Some teams send first and register later. Carriers flag it, and Twilio's compliance team will reach out.

Buying leads without verifying one-to-one consent. After January 2025, blanket lead-gen consent does not satisfy the FCC rule. This is probably the most widespread compliance gap in outbound sales right now.

LeadCompliant's free TCPA compliance kit includes consent documentation templates and a pre-send checklist mapped to each of these failure points. Running it before launch takes about 20 minutes and catches most of the obvious gaps.

How much can a TCPA violation through Twilio actually cost you?

Congress set TCPA statutory damages at $500 per violation for negligent conduct and $1,500 per violation for willful or knowing conduct [2]. Every message to a non-consenting recipient is a separate violation. Every call to a DNC-registered number is a separate violation.

The math turns ugly fast. A campaign of 5,000 messages to a list with 10 percent invalid consent is 500 violations. At $500 each, that is $250,000 in statutory damages before attorney fees. If a court finds willful conduct, triple it to $750,000. Class actions make it worse, because plaintiffs' attorneys aggregate thousands of individual violations into one suit.

The Cash App TCPA class action settlement and the Kaiser TCPA settlement show large, well-funded companies paying real money to make these cases go away. Small businesses do not have the legal budget to fight them.

Then there is FCC enforcement, which runs separate from private suits. The FCC issued a $225 million forfeiture in 2021 against a health insurance robocall operation, its largest ever, though courts have trimmed some FCC forfeitures on due process grounds [11]. Since 2023 the enforcement direction has been stricter, not looser [3].

For how courts and regulators keep moving, the TCPA news section tracks recent rulings and enforcement actions.

What should a compliant Twilio sending workflow actually look like?

Here is a defensible process, step by step.

Step 1: Capture consent properly. Before a number enters your Twilio pipeline, you need documented, one-to-one prior express written consent. The form has to name your company, describe the message types, state that consent is not a condition of purchase, and disclose that the consumer may receive autodialed or prerecorded messages. Save the record with a timestamp, IP address, and the exact disclosure text shown.

Step 2: Scrub before every send. Run your send list through the federal DNC Registry (updated within 31 days), your state DNC lists, and your internal suppression list. Not once. Before each campaign [7].

Step 3: Register your Twilio numbers. Get your 10DLC brand and campaign registered and approved through The Campaign Registry before sending A2P traffic [6].

Step 4: Schedule within permitted hours. Confirm every recipient's local time will fall between 8 a.m. and 9 p.m. when the message lands. If your list spans time zones, segment and schedule accordingly.

Step 5: Handle opt-outs in real time. A Twilio webhook can fire to your system the moment a STOP reply arrives. Build that integration. Every opt-out hits your suppression list fast, and Twilio's own opt-out is a fallback, not your primary system.

Step 6: Keep the records. Archive consent documentation, Twilio message SIDs, delivery logs, and suppression list activity for at least four years [9].

None of this is complicated in principle. The failure lives in the gap between knowing what to do and building the systems that do it every time.

Frequently asked questions

Is Twilio responsible for my TCPA compliance?

No. Twilio's terms require customers to comply with the TCPA and all applicable laws. Under 47 U.S.C. § 227, liability falls on the party that initiates the call or message, which is you as the sender. Twilio processes your traffic. It does not verify your consent records, scrub your lists, or check whether you are calling DNC-registered numbers.

Does Twilio count as an ATDS under the TCPA?

It depends on how your application uses it. After Facebook v. Duguid (2021), an ATDS must use a random or sequential number generator. A Twilio app that dials a pre-uploaded contact list may not qualify, but apps with predictive dialing logic or dynamic number selection are riskier. Most practitioners recommend treating any Twilio marketing setup as if it were an ATDS and getting prior express written consent regardless.

Prior express written consent, as defined in the FCC's 2012 rules under 47 C.F.R. § 64.1200. It must be a signed written agreement, name your company specifically (required since January 2025 under FCC 23-107), describe the message types, and state that consent is not a condition of purchase. Oral consent or a bare checkbox without the required disclosures is not enough for marketing messages.

Does Twilio automatically honor STOP opt-outs?

Twilio's Messaging Services feature catches STOP replies and flags numbers inside its platform. That flag does not automatically update your CRM or internal suppression list. You need a webhook integration that pushes Twilio opt-out events into your own system. Relying only on Twilio's flag means you risk texting the same number from a different system or campaign later.

Do I need to register my Twilio numbers before sending texts?

Yes. Twilio requires 10DLC registration for A2P (application-to-person) messaging on 10-digit long codes in the US. You register your brand and campaign use case through The Campaign Registry. Unregistered traffic gets filtered by carriers, and Twilio will not route it. Registration does not guarantee TCPA compliance. It is a carrier network requirement separate from the legal consent rules.

How often do I need to scrub my list against the National DNC Registry?

At least every 31 days under 16 C.F.R. § 310.4(b). You also have to honor new registrations within 30 days of the consumer's registration date. Twilio does not do this for you. You need a paid FTC DNC Registry subscription for lists over 5 numbers, and you should run your list against applicable state DNC lists too before each campaign.

What are the TCPA penalties if I send noncompliant messages through Twilio?

The TCPA sets statutory damages at $500 per negligent violation and $1,500 per willful or knowing violation under 47 U.S.C. § 227(b)(3). Each message to a non-consenting recipient or DNC-registered number is a separate violation. A campaign of a few thousand messages with consent gaps can expose a sender to six or seven figures, often in a class action filed for all similarly situated recipients.

What time of day can I send messages through Twilio?

FCC rules at 47 C.F.R. § 64.1200(c) prohibit calls and messages before 8 a.m. or after 9 p.m. in the recipient's local time zone. Twilio sends whenever you schedule it. Time-zone compliance is your job. If your contact list spans multiple time zones, segment your sends and schedule each segment by that group's local time.

The FCC's December 2023 order (FCC 23-107), with a January 27, 2025 compliance date, requires that consumer consent name one seller at a time. Blanket consent collected by a lead generator for dozens of companies no longer satisfies the rule. Any Twilio campaign built on third-party leads needs consent that names your company specifically, or the consent is invalid under current FCC rules.

Can I text people who filled out a form on my website using Twilio?

Yes, if the form included a compliant prior express written consent disclosure. It has to name your company, describe the message types (including marketing), state that consent is not a condition of purchase, and be acknowledged with a clear affirmative action. A pre-checked box does not satisfy the written consent requirement. Save the submission with a timestamp and IP address as evidence.

Does the TCPA apply to B2B texts sent through Twilio?

The TCPA applies to calls and texts to mobile numbers, including numbers a business uses. Business cell phones get the same protection as consumer phones. The B2B exemption in telemarketing law is narrower than many sales teams assume. It does not cover mobile numbers or prerecorded-voice messages, regardless of business context.

How long should I keep Twilio message records in case of a TCPA claim?

At least four years, matching the federal statute of limitations under 28 U.S.C. § 1658. Keep consent documentation, Twilio message SIDs, delivery status logs, opt-out event logs, and suppression list activity for that period. Twilio's own message log retention is typically about 13 months, so export and store this data in your own systems. Do not rely on Twilio's dashboard as your archive.

What is the risk if I buy leads and text them through Twilio without checking consent?

Very high. After January 2025, consent collected by a lead generator for a broad network does not satisfy the FCC's one-to-one rule. Texting purchased leads without confirming they consented specifically to your company is a likely TCPA violation per message. Courts have awarded $500 to $1,500 per message. A list of 10,000 unverified leads texted once could mean $5 million to $15 million in potential exposure.

Is there a difference between Twilio TCPA compliance for SMS versus voice calls?

The core consent requirements are the same: prior express written consent for marketing. Voice calls to cell phones using an ATDS or prerecorded message carry the same standard. Voice calls to residential landlines with a prerecorded marketing message also require prior express written consent. Informational prerecorded calls to landlines need only prior express consent, which can be oral. The time-of-day restrictions apply to both.

Sources

  1. Twilio, Acceptable Use Policy: Twilio requires customers to comply with all applicable laws including the TCPA and does not scrub lists or verify consent on behalf of customers
  2. U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation for negligent violations and up to $1,500 per willful or knowing violation; liability falls on the party initiating the call
  3. FCC, 47 C.F.R. § 64.1200 (Delivery Restrictions): FCC rules require prior express written consent for marketing autodialed or prerecorded calls, prohibit calls before 8 a.m. or after 9 p.m. local time, and require clear opt-out mechanisms
  4. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held that an ATDS must have the capacity to use a random or sequential number generator to store or produce numbers; the majority quoted 47 U.S.C. § 227(a)(1)
  5. FTC, National Do Not Call Registry (information for telemarketers): Telemarketers must access the DNC Registry at least every 31 days and honor registrations within 30 days; a paid subscription is required for lists over 5 numbers under 16 C.F.R. § 310.4(b)
  6. U.S. Government Publishing Office, 28 U.S.C. § 1658 (Statute of Limitations): The four-year federal statute of limitations under 28 U.S.C. § 1658 applies to TCPA claims, requiring record retention for at least four years
  7. FTC, 16 C.F.R. Part 310 (Telemarketing Sales Rule): FTC's Telemarketing Sales Rule at 16 C.F.R. § 310.4(b) sets DNC scrubbing frequency requirements and covers text messages as functionally equivalent to calls for DNC purposes
  8. U.S. Court of Appeals Ninth Circuit, Marks v. Crunch San Diego LLC, 904 F.3d 1041 (9th Cir. 2018): The Ninth Circuit held in 2018 that an ATDS includes any system with the capacity to dial automatically from a stored list, a broader definition later narrowed by the Supreme Court in 2021

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit