Last updated 2026-07-09

TL;DR
Two-way conversational SMS sits in a legal gray zone. The FCC carved out a narrow exemption for genuine person-to-person messaging, but most sales and marketing texts sent through automated platforms do not qualify. You likely still need prior express written consent under 47 USC 227 even when a human hits send, unless every element of the FCC's conversational P2P test is met.
What does the TCPA actually say about text messages?
The Telephone Consumer Protection Act, codified at 47 USC 227, was written in 1991, before SMS existed as a commercial tool. It bans using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to call any cellular number without prior express consent [1]. The FCC later confirmed, in a 2003 declaratory ruling and then in its 2012 rules, that text messages count as "calls" under the statute. So the same consent rules that apply to robocalls apply to marketing texts. [8]
The key phrase is ATDS. For years that was the whole fight. Does your platform qualify as an autodialer? The Supreme Court narrowed the ATDS definition in Facebook v. Duguid (2021), holding that a device must use a random or sequential number generator to store or produce numbers to qualify [3]. That ruling helped defendants in some autodialer cases. It did not erase the consent requirement. If your system sends texts from a list of stored numbers with any automated component, courts and the FCC still read your consent chain closely.
For text message marketing in general, see our overview of text message marketing and the broader TCPA framework.
What is the FCC's P2P (person-to-person) exemption for conversational SMS?
There is no single clean rule called the "P2P exemption." What exists is a mix of guidance and declaratory rulings that, taken together, suggest genuine person-to-person messaging falls outside the ATDS definition and therefore outside the core TCPA prohibition. The reasoning is simple. If a real human manually composes and sends one message to one recipient, no autodialer is involved, so 47 USC 227(b)(1) never triggers. [1]
The Cellular Telecommunications Industry Association (CTIA) has pushed carriers to separate P2P from A2P (application-to-person) traffic for routing and spam filtering, and that industry line has bled into legal arguments. Some defendants claim their texting platforms are just tools that let human agents send messages one at a time, which makes the traffic P2P.
The FCC's 2023 order tightening the one-to-one consent rule, effective January 2025, made the agency's skepticism clear. Consent must come from "the specific seller," the order says, and cannot be shared across a network of buyers or lead generators [5]. That order did not kill the P2P concept. It did signal that regulators are watching platforms that dress up mass messaging as individual conversation.
Does two-way SMS mean you don't need consent?
No. Two-way capability alone creates no consent exemption. This is the most common mistake I see in sales teams.
Two-way messaging means the platform lets the recipient reply and lets your agent respond. That is a feature, not a legal status. The TCPA cares about one moment: the first outbound message. Was there prior express consent, and was an ATDS used? Whether the person can text back afterward has nothing to do with that threshold question.
Two-way conversational SMS can help build the "manually dialed" or "human-initiated" argument. If your agent opens a contact record, reads the context, writes a custom message, and taps send one at a time, that looks more like P2P than an automated blast. Platform architecture still matters, though. Courts have asked whether the system has the capacity to work as an autodialer, even when the human-initiated mode is what you actually used [3].
Here is the bottom line. If your tool can send messages automatically or in bulk, document your manual send process carefully and still get consent. The two-way feature does not save you.
What level of consent does conversational SMS require?
There are three tiers of TCPA consent, and the type of message you send picks the tier.
| Message type | Consent tier required | Key requirement |
|---|---|---|
| Purely informational (no marketing) | Prior express consent | Any clear agreement, can be oral |
| Marketing or telemarketing | Prior express written consent | Written signature, can be electronic |
| Emergency or healthcare (strict limits) | Varies by exemption | FCC has specific safe harbors |
For outbound sales texts, you almost always need prior express written consent (PEWC). The FCC's 2012 rule change defined PEWC as a written agreement bearing the signature (including electronic) of the person called that clearly authorizes messages from a specific sender and discloses the autodialer use [8]. A pre-checked box does not count. A terms-of-service agreement buried in a sign-up flow does not count without an affirmative opt-in.
The FCC's January 2025 one-to-one consent rule added another layer. Consent obtained through a lead generation form has to name the specific seller who will contact the consumer. A lead gen page that says "you may be contacted by partners" and then sells that lead to 40 companies is no longer compliant [5]. If you bought leads, your consent chain deserves a hard look.
For truly conversational sessions where a consumer texts you first, that inbound message can establish consent for a reasonable back-and-forth in the same conversation. Once you start sending outbound marketing after the conversation ends, you need documented PEWC again.
How does the FCC distinguish P2P from A2P messaging in practice?
The FCC and carriers read several signals to classify traffic. Knowing them shows you why your platform's architecture matters legally, more than it matters operationally.
Throughput is the first signal. P2P messaging runs at low volume per sender, conversational pacing, and two-way flow. A2P messaging shows high-volume bursts, one-directional patterns, and template repetition. If your "conversational" platform sends 500 messages an hour from one number, carriers flag it as A2P no matter what your sales deck says.
Number type is the second. 10DLC (10-digit long codes) registration was built to separate legitimate A2P business traffic from P2P. The CTIA and major carriers now require businesses sending recurring messages to register campaigns through The Campaign Registry. Sending marketing texts on unregistered long codes violates carrier terms and gets messages blocked. Short codes are always treated as A2P. [6]
Message content is the third. Template-driven messages with variable fields ("Hi [FirstName], your quote is ready") read as A2P even when a human reviews them first. Courts have looked at content patterns too when deciding whether a system functioned as an ATDS.
So the practical move is this. If you are running a genuine one-on-one sales conversation over SMS, use a registered 10DLC number, keep volume reasonable, personalize beyond variable substitution, and document the human-send workflow. That combination gives you the best argument that your traffic is truly conversational.
What happened in real TCPA cases involving conversational or P2P SMS claims?
Courts have not uniformly accepted the P2P argument as a consent substitute. A few cases map the terrain.
In Duran v. La Boom Disco (2d Cir. 2020), the court focused on whether the platform had the capacity to autodial, finding capacity alone could trigger TCPA liability regardless of how the system was actually used. That capacity test has since been narrowed by Facebook v. Duguid, but the lesson holds: platform architecture matters [3].
Other district court cases have asked whether a one-to-one agent-sent text needs the same consent as a blast campaign. The analysis turns on how the software functioned, not on how the company described it.
Here is what is at stake financially. Statutory damages under 47 USC 227(b)(3) are $500 per violation, trebled to $1,500 for willful violations. A class of 10,000 recipients with one unconsented text each means $5 million in potential exposure at the base rate, $15 million if willfulness is shown [1]. Actual settlements vary widely. Cases like the credit one tcpa settlement and the cash app tcpa class action settlement show how fast these figures scale in practice.
The case law never says two-way conversational SMS is free of consent obligations. What courts do is examine the platform, the volume, the content, and the consent record. You want all four to line up in your favor.
Does a consumer texting you first count as consent?
Generally yes, within limits. When a consumer sends the first text, they have started the communication and implicitly consented to a reply. The FCC's logic mirrors the logic for inbound calls: you cannot claim someone did not consent when they dialed you.
This consent is narrow, though. It covers replies directly relevant to what they asked about, inside a reasonable time window. It does not open the door to future promotional texts, recurring appointment reminders, or upsell campaigns. For those, you need explicit PEWC.
A workable practice. When a consumer texts you first, answer their question, then ask them to confirm they want future messages from you. Keep that confirmation in your CRM with a timestamp and the message thread. That builds a clean PEWC record for later outreach.
One nuance is worth flagging. If the consumer found you through a lead gen page and filled out a form that fired an automatic text to them, the "they texted us" argument does not work. The automated outbound text was the first contact. Their reply is a reaction to your initiation, not a fresh consumer-initiated conversation.
What are the opt-out rules for two-way conversational SMS?
The TCPA itself does not spell out opt-out mechanics for SMS the way the CAN-SPAM Act does for email. The FCC and the CTIA have built a de facto standard instead.
For A2P messaging, carriers require that standard opt-out keywords (STOP, UNSUBSCRIBE, CANCEL, END, QUIT) stop messages immediately and trigger a single confirmation reply. No further messages after that, except that one transactional confirmation. HELP must return contact information. [6]
For conversational P2P messaging, carrier-level rules are less codified, but the TCPA's ban on contacting someone who has revoked consent applies regardless. If a person says "stop texting me" in any phrasing during a conversation, that is legally effective revocation. The word STOP is not magic. A plain-English request to stop is enough.
Your platform should capture STOP-keyword replies automatically and flag plain-English opt-out requests for human review. Any failure to honor either type within a reasonable time is a TCPA violation. The statute has not defined a reasonable time, so treat it as immediate. That is the only safe read.
If you are managing a do not call list for phone calls alongside your SMS program, connect the two suppression lists. A person who opts out of SMS should also drop off outbound calls unless they gave separate, independent consent for each channel.
How do the FCC's 2025 consent rules change things for SMS teams?
The FCC's December 2023 order (Report and Order FCC 23-107) took effect in stages, with the one-to-one consent requirement effective January 27, 2025 [5]. This is the biggest TCPA change in a decade for lead-based SMS programs.
Before this rule, one consent record could be shared among many sellers. A consumer who checked a box on a mortgage comparison site might hear from dozens of lenders, each claiming consent through that single disclosure. The FCC called the practice a lead generator loophole and closed it.
Now consent has to come from the specific seller who will send the messages. The comparison-site or aggregator lead model requires each seller to be named individually in the consent disclosure. The consumer must have checked a box or taken an affirmative step aimed specifically at your company.
For two-way SMS teams the impact is real. If you buy leads, the consent documentation has to show your company's name in the opt-in language. A generic "marketing partners" disclosure no longer passes. You either need to be listed by name on the lead source's consent page, or you collect consent yourself before sending the first text.
LeadCompliant's free consent checker can help you audit whether your current lead source agreements produce compliant consent records under the new standard. Getting that audit done before your next campaign goes out is the straightforward move.
The order also added a "logically and topically associated" requirement: consent has to relate to the subject matter the consumer expressed interest in. A consumer who opts in for a car insurance quote cannot be texted about life insurance under the same consent record.
What records do you need to keep to defend a TCPA claim?
The burden of proving consent in a TCPA case falls on the defendant, not the plaintiff. Practically, your records are your defense.
Document at minimum: the exact consent language the consumer saw, the timestamp of the opt-in, the IP address or device identifier, the phone number confirmed, and the specific seller or brand named in the disclosure. If consent came through a web form, preserve a screenshot of the form as it appeared at the moment of opt-in, more than the database record. Forms change. Screenshots do not.
For conversational SMS, keep the full message thread. If a consumer starts the conversation, that thread shows who texted first. If they later claim they never consented, the thread is your evidence. Store threads for at least four years, which is the TCPA statute of limitations under 28 USC 1658 [10].
Carrier registration records matter too. If you send on a 10DLC-registered campaign, keep your Campaign Registry documentation. It shows you were running a recognized business campaign, not a spam operation, which helps on a willfulness argument.
One more. If you use a third-party consent platform or a lead aggregator, get a written contract provision that indemnifies you if their consent records turn out to be defective. That clause is worth negotiating hard, because when a class action hits, the question of who bears liability between the seller and the lead source often comes down to whoever has the better indemnification language.
What should a small outbound SMS team do right now?
A few concrete steps, ordered by risk reduction.
Audit your platform first. Ask your SMS vendor directly: can this system send messages without per-message human initiation? If yes, you are in ATDS territory regardless of how you use it day to day. That does not mean stop using it. It means get your consent records in order before the next send.
Review every lead source second. For each source feeding your SMS program, pull the consent language and ask whether your company's name appears in it. Under the FCC's 2025 rule, if your name is not there, that lead's consent record is not usable for your outreach [5].
Build a suppression workflow third. Your CRM needs a STOP-keyword listener and a field for manual opt-outs. Anyone who texts STOP or says an equivalent in conversation gets flagged and removed from all future outbound queues within minutes, not hours.
Train your agents fourth on the line between a conversational reply (fine) and a campaign message (needs separate consent). A lot of TCPA exposure comes from agents who treat a consumer-initiated thread as blanket permission to push promotional content forever.
If you want a structured starting point, LeadCompliant offers a free TCPA compliance kit with the consent documentation checklist, a suppression workflow template, and the lead-source audit questions. It is a useful baseline, not a substitute for actual legal counsel.
For teams also running outbound calls, the cold calling rules and the do not call telemarketer list requirements run alongside your SMS program. A suppression list that covers both channels is simpler to manage and harder to breach by accident.
How does state law interact with TCPA consent requirements for SMS?
The TCPA sets a federal floor. States can go further, and several have.
Florida's Telephone Solicitation Act (FTSA), amended in 2021, added a Florida-specific prior express written consent requirement for texts sent using an autodialer. Florida also created a private right of action at $500 per violation, mirroring TCPA damages but applying independently. Florida plaintiffs filed a flood of FTSA cases in 2022 and 2023 [7]. The legislature amended the law in May 2023 to require a 15-day cure period before filing suit and to narrow the autodialer definition somewhat, but the consent obligation survived.
Oklahoma, Washington, and Maryland have enacted similar mini-TCPA statutes with varying autodialer definitions and damage amounts. Washington's law (RCW 80.36.400) applies to commercial messages sent to Washington residents regardless of where the sender sits [9].
California has no separate mini-TCPA, but the California Consumer Privacy Act (CCPA) intersects with SMS consent programs. If your opt-in form collects personal data from California residents, your consent language and data handling need to comply with CCPA as well.
The practical effect for SMS teams. Consent that meets FCC standards can still fall short in Florida or Washington. You need to know which states your leads come from and whether any state-specific requirement applies. Geographic filtering on your consent forms (different language or extra checkboxes for residents of specific states) is the cleanest fix.
Frequently asked questions
Is two-way SMS automatically exempt from the TCPA?
No. Two-way capability is a platform feature, not a legal exemption. The TCPA's consent requirements are triggered by the outbound message and whether an ATDS was involved, not by whether the recipient can reply. You still need prior express written consent for marketing texts even if your tool supports two-way conversations.
What is prior express written consent for SMS under the TCPA?
Under 47 USC 227 and the FCC's 2012 rules, prior express written consent is a written agreement, including an electronic signature, in which the consumer clearly authorizes a specific sender to contact them using an autodialer or prerecorded message and acknowledges that consent is not a condition of purchase. A pre-checked box or buried terms-of-service clause does not satisfy this standard.
Does texting someone back count as TCPA consent for future messages?
A consumer-initiated text establishes consent for replies relevant to that conversation. It does not create blanket consent for future marketing texts, promotions, or ongoing outreach. For anything beyond answering the consumer's original question, you need documented prior express written consent obtained separately.
What changed with TCPA consent rules in 2025?
The FCC's January 2025 rule (from its December 2023 order, FCC 23-107) requires one-to-one consent: the specific seller must be named in the consent disclosure, and consent must relate to the topic the consumer expressed interest in. Lead-sharing arrangements where one consent record is sold to multiple companies are no longer compliant under this rule.
How many TCPA violations can come from a single SMS campaign?
Each individual text message to each individual recipient without proper consent is a separate violation. Statutory damages are $500 per violation or $1,500 if the violation is willful. A campaign sending one unconsented text to 10,000 people creates $5 million in base exposure and up to $15 million if willfulness is found under 47 USC 227(b)(3).
Does 10DLC registration replace the need for TCPA consent?
No. 10DLC registration is a carrier requirement for routing legitimate business SMS traffic. It tells the carrier network your campaign is real and approved, which reduces blocking. It has nothing to do with TCPA consent. You still need prior express written consent from each recipient before sending marketing messages, regardless of whether your number is 10DLC-registered.
Can a sales agent send a personal-sounding text without TCPA consent?
Not for marketing purposes. If the agent uses any platform that has the capacity to function as an autodialer, the message may still be subject to TCPA requirements regardless of how personal it sounds. For a true P2P exemption argument, you need manual composition and manual sending with no automated components, plus records proving that process.
How long do you have to honor a STOP request for SMS?
Effectively immediately. The TCPA requires that consent revocation be honored promptly, and carrier standards treat STOP-keyword replies as requiring instant suppression followed by a single confirmation reply. Any message sent after a clear opt-out, in any phrasing, is a potential TCPA violation. Courts have not required the exact word STOP; a plain-English request to stop messaging is legally sufficient.
Does a consumer's inbound text qualify as consent if they found you through a paid ad?
It can, with documentation. If a consumer clicks your ad, then texts you of their own accord, that inbound message shows consumer-initiated contact. But if an automated system sent the first text after the consumer submitted a form, you initiated the contact and the "they texted first" argument fails. Preserve the full message thread with timestamps to prove who initiated.
Do B2B text messages need TCPA consent?
Technically the TCPA applies to cellular numbers regardless of whether the subscriber is a business or individual. Business lines with dedicated business numbers on non-cellular platforms have some additional arguments, but most business contacts receive texts on personal cell phones. Treating B2B SMS as requiring the same consent as B2C is the conservative and defensible position.
What records should I keep for TCPA compliance on SMS?
Keep the exact consent language the consumer saw, the timestamp and IP address of the opt-in, a screenshot of the web form as it appeared, the phone number confirmed, and the full message thread for each conversation. Store records for at least four years, which is the TCPA's statute of limitations under 28 USC 1658. Carrier registration documents and lead-source contracts with indemnification clauses also belong in your file.
What states have their own SMS consent laws beyond the TCPA?
Florida's FTSA (as amended in 2023), Oklahoma's Communications Act provisions, Washington's RCW 80.36.400, and Maryland's telephone solicitation statutes all impose additional consent or procedural requirements for commercial SMS. Florida in particular has been aggressive, generating significant class action litigation since 2021. Check where your leads originate and apply the strictest applicable standard.
Can I get consent through a chatbot or automated onboarding flow?
Yes, if the flow presents clear opt-in language, names your company specifically, discloses that an autodialer may be used, and requires an affirmative action (not a pre-checked box). An electronic signature through a chatbot can satisfy the FCC's written-consent standard. Document the flow version, the timestamp, and the consumer's affirmative action the same way you would for a web form.
How does the mobile phone do not call list interact with SMS consent requirements?
The National DNC Registry technically applies to telephone solicitations, which the FCC has interpreted to include marketing texts. Registrants on the DNC list who have not given you prior express written consent should not receive marketing SMS. DNC registration does not override valid PEWC, but if someone is on the DNC and you cannot prove PEWC, skip them. See our breakdown of the mobile phone do not call list for more detail.
Sources
- Cornell Law School Legal Information Institute, 47 USC 227: Statutory damages are $500 per violation and up to $1,500 for willful violations under 47 USC 227(b)(3); prohibits ATDS calls to cellular numbers without prior express consent; person-to-person manual messaging does not involve an ATDS.
- Federal Trade Commission, National Do Not Call Registry: The National Do Not Call Registry restricts telephone solicitations, which regulators treat as including marketing text messages.
- U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use a random or sequential number generator to store or produce numbers; narrowed the ATDS definition used in TCPA cases.
- Cornell Law School Legal Information Institute, 47 CFR 64.1200: FCC implementing rules define prior express written consent and treat genuine person-to-person messaging without automated systems as outside the ATDS prohibition.
- Federal Communications Commission, Report and Order FCC 23-107 (2023), one-to-one consent rule: FCC required one-to-one consent naming the specific seller; effective January 27, 2025; closed lead-sharing consent farm practices.
- Cornell Law School Legal Information Institute, 47 CFR 64.1200 (opt-out and revocation rules): FCC rules require honoring consumer revocation of consent; carrier standards require STOP and HELP keyword support and 10DLC registration for business SMS campaigns sent on long codes.
- Florida Legislature, Florida Telephone Solicitation Act, Section 501.059 Florida Statutes: Florida FTSA as amended in 2023 imposes state-specific prior express written consent requirements for texts using autodialers and provides a private right of action with $500 per violation.
- Cornell Law School Legal Information Institute, 47 CFR 64.1200 (definition of prior express written consent): FCC rules confirm text messages are subject to the same TCPA rules as calls to cell phones and define prior express written consent as a signed written agreement authorizing a specific sender.
- Washington State Legislature, RCW 80.36.400: Washington state law prohibits unsolicited commercial texts to Washington residents and applies regardless of sender location.
- Cornell Law School LII, 28 USC 1658, Statute of Limitations: Four-year federal statute of limitations under 28 USC 1658 applies to TCPA claims, setting the minimum record retention window.