What does opt-in SMS mean? A plain-English compliance guide

SMS opt-in means a person actively agreed to receive your texts before you send them. TCPA requires it. Here's what counts, what doesn't, and how to do it right.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Person holding a phone above a wooden counter, about to submit an SMS opt-in form
Person holding a phone above a wooden counter, about to submit an SMS opt-in form

TL;DR

SMS opt-in means a person gave you prior express written consent to receive marketing texts before you sent the first message. The TCPA requires this for autodialed texts to a cell number. Without a valid opt-in, each text can cost $500 to $1,500 in statutory damages. The consent must be voluntary, clearly disclosed, and documented.

What does opt-in SMS mean, exactly?

An SMS opt-in is the moment a person agrees, in advance and on purpose, to receive text messages from a specific sender for a specific reason. It is not implied. It is not inferred from a purchase or an inquiry. The person takes an action that clearly signals: yes, text me.

The term shows up everywhere in compliance talk, but the legal weight behind it comes from one statute: the Telephone Consumer Protection Act, 47 U.S.C. § 227 [1]. That law, passed in 1991 and reshaped repeatedly by FCC rulemaking, bans marketing texts sent by autodialer or prerecorded message to a cell number without "prior express written consent" from the recipient. The FCC's 2012 order made written consent mandatory for marketing texts and closed the door on oral consent in that context [2].

So when someone asks what SMS opt-in means, the honest answer has two layers. Conceptually, the person raised their hand. Legally, you hold a documented record showing they gave prior express written consent, with a clear disclosure that autodialed texts may be sent, that consent is not a condition of purchase, and that message and data rates may apply.

Miss any of those elements and your opt-in isn't just weak. It's legally invalid.

Prior express written consent is defined in 47 C.F.R. § 64.1200(f)(9) [2]. Four elements are required, and all four have to be present.

1. A written agreement (paper or electronic) that the person signed, with an electronic signature meeting the E-SIGN Act standard. 2. A clear and conspicuous disclosure that the person will receive autodialed marketing texts. 3. A statement that consent is not required to purchase goods or services. 4. The person's phone number.

That third element trips up a lot of teams. If your opt-in language reads "enter your phone number to complete your purchase," you've tied purchase to consent. That's explicitly prohibited. The consent and the transaction have to be separable.

"Written" under E-SIGN covers a web form checkbox, a keyword reply, a paper signature, or an email reply, as long as the disclosure language sits at the point of consent and the record gets retained [3]. A verbal agreement over the phone, a forwarded email, or a contact form that says nothing about texts does not clear the bar.

Consent is also sender-specific and purpose-specific. Someone who opted into texts from your company about account updates has not consented to your promotional offers. Someone who consented to texts from Vendor A has not consented to texts from you, even if you bought that lead list. The FCC's January 2025 one-to-one consent rule, effective January 27, 2025, made this explicit: a single consent cannot serve multiple sellers [4].

What are the different types of SMS opt-in methods?

There are four common ways someone opts into your SMS program, and they don't carry equal weight for compliance.

MethodHow it worksConsent strengthCommon use
Keyword opt-inPerson texts a word (JOIN, YES) to a shortcode or numberStrong if disclosures are in the call-to-actionRetail, events, mass campaigns
Web form opt-inPerson enters number and checks a box with compliant disclosure languageStrong if checkbox is unchecked by defaultLead gen, e-commerce, real estate
Point-of-sale opt-inPerson writes number on a paper form with disclosureStrong if language meets standardRestaurants, local service businesses
Verbal opt-inPerson says "yes" over the phoneDoes NOT meet written consent standard for marketing textsN/A for autodialed marketing

Keyword opt-ins work well, but the call-to-action that prompts the text (a sign, a website, a flyer) has to carry all required disclosures at the point of promotion, not after the keyword lands [5]. So the ad or sign says something like: "Text JOIN to 55555 to receive marketing texts from [Brand]. Msg & data rates may apply. Consent is not required to buy. Reply STOP to cancel."

Web form opt-ins are the most auditable. The timestamp, IP address, and form submission all get logged. The checkbox must be unchecked by default. A pre-checked box is not valid consent under the FCC rules and has triggered TCPA suits [2].

For a deeper look at building a form that holds up in court, see SMS opt-in form: what it must say and how to build one.

TCPA SMS violation exposure at a glance Key thresholds every outbound team should know 500 Statutory damages per negli… violation 1,500 Statutory damages per willf… violation 16.5M Papa John's TCPA class action settlement (millions) 4 Years to retain opt-in records (TCPA statute of Source: 47 U.S.C. § 227 (TCPA); FCC 2012 Report and Order

What is SMS double opt-in and do you need it?

Double opt-in (also called confirmed opt-in) means you send a confirmation text after the initial signup and require the person to reply YES before they enter your active list. The first opt-in is the initial action. The second is the confirmation.

No federal law requires double opt-in. The TCPA doesn't mandate it. The FCC doesn't mandate it. The CTIA Messaging Principles, which are carrier guidelines rather than law, recommend it as a best practice but stop short of requiring it [5].

Still, double opt-in is the right call for most marketing programs. It filters out typos, blocks number spoofing, and hands you a second timestamped record of affirmative consent. In a TCPA suit, your defense rests almost entirely on your consent records. Two records beat one.

The downside is list size. Double opt-in typically shrinks confirmed subscribers by 20 to 40 percent compared to single opt-in, because some people never bother replying to the confirmation. That's a real business cost. Whether it's worth it depends on your risk tolerance and what you're sending. For high-frequency promotional texts, I'd do double opt-in. For transactional alerts where you have solid first-party data, single opt-in with strong documentation can be enough.

See the full breakdown at sms double opt in.

What happens if you text someone who didn't opt in?

You're exposed to TCPA liability. Statutory damages run $500 per negligent violation and up to $1,500 per willful violation [1]. Per text. Sent to a cell phone by autodialer without consent.

Those numbers sound manageable until you count your send volume. Most outbound SMS campaigns push thousands of messages. A mid-sized campaign of 10,000 texts to a non-consented list at $500 each is a $5 million exposure. Courts have certified class actions on exactly this theory.

Satterfield v. Simon & Schuster (9th Cir. 2009) established that texts count as "calls" under the TCPA, confirming the statute's protections apply fully to SMS [6]. Since then, TCPA text class actions have piled up. Settlements routinely reach the millions: Papa John's settled a TCPA text-message class action for $16.5 million in 2013 [7].

Beyond class actions, the FCC can issue fines, and state attorneys general can bring actions under their own consumer protection laws. California enforces aggressively, and Florida, Washington, and Texas have layered extra restrictions on top of the TCPA [8].

If you're buying lead lists and texting people whose consent you didn't personally collect, you're the one on the hook. The list broker's indemnification clause probably won't save you in court, and it definitely won't stop the suit from being filed.

What are the required disclosures in an SMS opt-in?

Every valid SMS opt-in has to carry specific language at the point of consent. The FCC rules and CTIA guidelines line up on the core elements [2][5]:

  • Identity of the sender (your brand name or DBA)
  • Description of the message program (what kinds of texts you'll send)
  • Message frequency disclosure ("up to X msgs/month" or "recurring messages")
  • "Message and data rates may apply"
  • Instructions to opt out ("Reply STOP to cancel" or equivalent)
  • Instructions to get help ("Reply HELP for help" or a support link)
  • A statement that consent is not a condition of purchase

This language appears before or at the moment of consent, never in a confirmation text that arrives after the person already handed over their number. The FCC requires the disclosure to be "clear and conspicuous," which rules out burying it in a terms-of-service link, hiding it below the fold, or shrinking it to 6-point type [2].

On web forms, put the disclosure right next to the phone number field or the submit button. For keyword opt-ins, the call-to-action ad carries the disclosure burden. For point-of-sale forms, the disclosure goes on the same line as the signature area.

Not sure your current disclosures meet the standard? The sms opt-in requirements guide walks through every required element with worked examples.

How long does an SMS opt-in last?

The TCPA sets no expiration date on consent, but consent doesn't last forever. The FCC has said consent can be revoked at any time by any reasonable means [9]. Once a subscriber texts STOP, calls you, emails you, or tells your customer service rep to knock it off, you have to honor that revocation promptly.

Beyond revocation, there's the stale-list problem. A consent given three years ago on a form that's since been redesigned, with disclosures that may not have met today's standards, is a risk. The FCC's 2025 one-to-one consent rule turned up the pressure here, because old pooled or lead-gen consents that covered multiple sellers are now invalid for marketing texts [4].

My honest recommendation: treat consent records like they have a shelf life. If someone opted in more than 18 months ago and has never engaged (no clicks, no replies), reconsent them before the next promotional text. You'll lose some subscribers. You'll also shed your liability on those stale records.

One more thing. Consent to marketing texts does not transfer when a phone number gets reassigned. Carriers reassign numbers constantly. Text a reassigned number without checking, and you've potentially messaged someone who never consented. The FCC's Reassigned Numbers Database exists for exactly this problem [10]. Check it.

What is the difference between single opt-in and implied consent for SMS?

Implied consent means you infer consent from a relationship or action rather than collecting it outright. Someone who gave you their phone number while placing an order might be treated as having implied they want texts about that order.

Here's the line that matters: implied consent is fine for transactional and informational texts (order confirmations, appointment reminders, shipping alerts) but it does not meet the "prior express written consent" standard required for marketing texts under the TCPA [2].

The word "express" in the statute does real work. Consent has to be stated, not inferred. If your text promotes a product, a service, or a sale, you need express written consent. If your text only carries information the customer already asked for (their order status, a one-time PIN, a service appointment reminder), the bar drops.

The gray zone is where most disputes live. A text that says "Your order shipped! Also, check out our new arrivals" is probably a marketing text for TCPA purposes, even though it opens with a transactional update. The FCC looks at the primary purpose of the message [2]. If the primary purpose is to promote, you need marketing consent, full stop.

For the broader rules on running a compliant program, tcpa sms compliance is worth reading before your next campaign.

How should businesses collect and document SMS opt-ins?

Documentation is your entire defense in a TCPA suit. The plaintiff's burden is to show you sent the text. Your burden is to show you had consent. Can't produce the consent record? You lose.

Here's what a solid SMS opt-in record holds:

  • The subscriber's phone number
  • The date and time of consent
  • The method of consent (keyword, web form, paper, etc.)
  • The exact disclosure language they saw at the time of consent
  • For web forms: IP address and user-agent string
  • For keyword opt-ins: the inbound message record

Store these records for at least four years, which matches the TCPA's statute of limitations. Some teams keep them longer, which isn't unreasonable given that class actions sometimes take years to file and certify.

The tools you use matter. A marketing text message service with no consent audit log is a liability, not an asset. Good text message marketing software timestamps opt-ins, stores the originating source, and exports records for litigation holds. If your current platform can't show you a per-number consent audit trail, fix that before you scale.

LeadCompliant's free compliance kit includes a consent record template and a pre-send checklist you can use on any SMS platform. That kind of documentation hygiene costs almost nothing and can be the difference between a dismissed case and a settlement.

What are the TCPA's rules specifically for SMS marketing opt-ins?

The TCPA, at 47 U.S.C. § 227(b)(1)(A), bars any person from using an automatic telephone dialing system to call or text a cell number without prior express consent [1]. The statute reads: "It shall be unlawful for any person within the United States... to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice" to a wireless number.

For marketing texts, the FCC's 2012 Report and Order raised the standard from "prior express consent" to "prior express written consent" and required a disclosure that consent is not a condition of purchase [2]. That was a big shift. Before 2012, some courts accepted oral consent for marketing calls. After 2012, that path closed for texting.

The FCC's 2023 and 2025 rulemakings tightened things further. The 2025 one-to-one consent rule requires each marketing text consent to name the specific company that will send the texts, and the topic of the texts has to be "logically and topically associated" with the website where consent was collected [4]. A mortgage company can't collect consent on a recipe site and then text about loans.

Texting rules also collide with carrier requirements. The CTIA (the wireless industry trade group) publishes Messaging Principles and Best Practices that carriers use to decide whether to block or filter messages [5]. Non-compliant programs get flagged and messages get dropped, sometimes without notice. TCPA compliance is the legal floor. CTIA guidelines are the operational ceiling.

To track rule changes, the tcpa news today feed covers FCC orders, court decisions, and enforcement actions as they land.

Does opt-in SMS work the same for B2B as for B2C?

This is one of the most common misreadings in outbound sales. People assume B2B texting is exempt from the TCPA because the recipient is a "business contact." It isn't that simple.

The TCPA applies to cell phones, not to people's roles. Texting a sales prospect on their personal cell means you need TCPA-compliant consent, regardless of whether the outreach is business to business. Most professionals use personal cell phones for work, so most B2B texting lands on TCPA-protected numbers.

The narrow exception: if you're texting a landline business number, the TCPA's autodialer restrictions apply differently and some consent rules vary. But that's rarely how B2B outbound texting actually runs.

Some courts have found that prior business relationships can support implied consent for informational texts. That doesn't extend to marketing texts. Send promotional content to a business contact's cell without documented consent and you're exposed.

For teams doing outbound across borders, the picture gets more tangled. GDPR in the EU and CASL in Canada stack extra consent requirements on top, and the one-to-one consent model the FCC now requires lines up more closely with GDPR's specificity requirement than the old pooled model did [11]. If your team sells internationally, b2b lead generation platforms gdpr compliance covers how those frameworks interact.

What is the best way to handle SMS opt-outs?

Opt-out handling is neither optional nor discretionary. The TCPA and FCC rules require you to honor opt-out requests, and the FCC clarified in 2023 that opt-outs are effective immediately through any reasonable channel, not only a STOP reply [9].

The mechanics of STOP handling: every marketing text carries opt-out instructions. When a subscriber replies STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT), your system suppresses that number from future marketing texts. Carriers enforce this at the platform level for shortcodes. For 10DLC numbers, the burden falls more squarely on the sender to build it right.

Beyond STOP replies, the 2023 FCC ruling means that if a customer calls your support line and says "stop texting me," that's a valid revocation. Email it, same thing. You need a process to capture these opt-outs and sync them to your SMS suppression list within a reasonable time. "Reasonable" isn't defined in hours, but sending another marketing text the next day to someone who just called to opt out will not go well in court.

Keep opt-out records as carefully as opt-in records. In a TCPA suit, the question often isn't whether the person consented originally. It's whether you kept texting them after they revoked. That continuation, sitting in your own send logs, is your liability.

Running a restaurant or local business SMS program? sample text message marketing for restaurants has opt-out language templates you can drop straight into your campaigns.

How does opt-in SMS work in real estate?

Real estate is one of the highest-risk verticals for TCPA exposure. Agents and brokers text leads from purchased lists, share leads across teams, and run autodialers, often without realizing the consent requirements apply to every text.

The FCC's 2025 one-to-one consent rule hit real estate lead generation hard. Before the rule, a single consumer consent on a real estate portal could be shared with dozens of agents and teams. After January 27, 2025, that model is gone. Consent must name the specific company that will text the consumer, and the consent has to be logically connected to real estate topics if collected on a real estate site [4].

For agents, the safest path is collecting first-party consent directly. A web form on your own site, with proper TCPA disclosures, that a prospect submits themselves is the gold standard. Buying leads from portals that claim TCPA consent is riskier now than it was two years ago.

Property managers texting tenants about lease renewals, rent due dates, and maintenance updates operate under the transactional-versus-marketing line covered earlier. Informational texts about an existing tenancy generally fall under implied consent from the lease relationship. Promotional texts about new units or referral programs need express written consent.

The specifics for this vertical live at real estate text message marketing.

What tools help you manage SMS opt-ins compliantly?

A compliant SMS opt-in program has three technical parts: a consent collection mechanism, a consent record store, and a suppression list that updates in real time.

For consent collection, web forms with timestamp logging are the most auditable. If you're using a third-party lead form builder, verify it captures IP address and submission timestamp alongside the phone number. Many general-purpose form tools skip this by default, and you may need a custom integration to log it.

For consent records, you need a database or log that ties each phone number to a specific consent event, including the date, method, and exact disclosure language shown. This record is your litigation shield. A spreadsheet works for small programs but doesn't scale and doesn't give you the audit-trail depth that TCPA defense demands.

For suppression, your SMS platform's built-in opt-out handling covers STOP replies, but you need a process for opt-outs arriving through other channels (phone, email, in-person). A centralized do-not-contact list that syncs across your CRM, SMS platform, and phone dialer is the right architecture.

Two checks worth running before any campaign: the FCC's Reassigned Numbers Database to catch reassigned numbers [10], and a real-time DNC scrub against the National Do Not Call Registry [12]. Neither is SMS-specific, but both belong in a complete pre-send workflow.

For how Twilio's infrastructure fits into all this, Twilio TCPA compliance: what you actually need to do covers the carrier-side requirements most teams overlook.

Frequently asked questions

What does SMS opt-in mean for a business sending marketing texts?

For a business, SMS opt-in means you hold a documented record showing each recipient gave prior express written consent to receive your marketing texts before you sent the first one. That record shows the date, the disclosure language the person saw, and the method of consent. Without it, each marketing text to a cell number using an autodialer carries $500 to $1,500 in potential TCPA liability.

Is a pre-checked checkbox a valid SMS opt-in?

No. A pre-checked checkbox is not valid consent under the TCPA or FCC rules. Valid consent requires an affirmative act by the consumer. A box already checked when the page loads means the consumer did nothing, so there's no affirmative consent. Courts and the FCC have treated pre-checked boxes as insufficient. Your checkbox must start unchecked and require the user to actively select it.

Can I text someone who gave me their number verbally?

For transactional texts (an appointment reminder, a one-time code), a verbal interaction that produced the number may support implied consent. For marketing texts, no. The FCC requires prior express written consent for autodialed marketing messages, and a verbal exchange doesn't satisfy the written requirement. You'd need to follow up and collect a written opt-in before sending any promotional content to that number.

What is the difference between SMS opt-in and SMS double opt-in?

Single opt-in means the person completes one action (fills out a form, texts a keyword) and joins your list. Double opt-in adds a second step: you send a confirmation text and they must reply YES before being added. Double opt-in isn't legally required, but it produces a second timestamped consent record, which strengthens your defense in a TCPA dispute. It typically reduces list size by 20 to 40 percent.

How long do I need to keep SMS opt-in records?

Keep them for at least four years. That matches the TCPA's statute of limitations under 28 U.S.C. § 1658. Class actions sometimes take years to file after the alleged violations, so a four-year retention policy lets you produce records for any plausible claim. Some compliance teams go to five or six years as a buffer. Store the phone number, consent date, method, and the exact disclosure language the person saw.

The TCPA sets no hard expiration date, but consent isn't permanent in practice. It ends immediately when someone opts out by any reasonable means, including a STOP reply, a phone call, or an email. Practically, consent collected more than 18 to 24 months ago with no engagement is a risk, especially given the FCC's 2025 one-to-one consent rule, which invalidated older pooled or multi-seller consent forms. Reconsent stale subscribers before texting them again.

Can I buy a list and text those people if the list came with consent records?

After the FCC's January 2025 one-to-one consent rule, this practice is almost certainly non-compliant for marketing texts. The rule requires that consent name the specific company texting the consumer. A lead list from a third party names the broker or the aggregator, not you. So even if the list came with consent documentation, that consent doesn't cover texts from your company. Collect your own first-party consent.

Do TCPA opt-in rules apply to texts sent manually (not via autodialer)?

This is genuinely contested and the subject of ongoing litigation. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the definition of an autodialer, which gave manual texting more legal breathing room. But many state laws (including California) use broader definitions that can cover manual texts, and the FCC may revisit the autodialer definition. The safe approach is to treat any systematic SMS outreach as requiring consent regardless of sending method.

What should an SMS opt-in confirmation text say?

A confirmation text for double opt-in should include your brand name, a brief program description, message frequency, a statement that message and data rates may apply, and instructions to reply YES to confirm or STOP to cancel. Example: "[Brand]: Reply YES to confirm you want [X] texts/month about [topic]. Msg & data rates may apply. Reply STOP to cancel." Send this only after the initial opt-in action.

Are there state laws that add requirements on top of TCPA for SMS opt-in?

Yes. Florida's Telephone Solicitation Act (FTSA) added per-text damages for violations and has fueled suits independent of the TCPA. Washington State, Oklahoma, and several other states have their own telemarketing laws that reach texts. California's privacy authority holds broad consumer protection powers. State laws can sometimes cover manual texts that fall outside the narrowed federal autodialer definition. Always check the laws where your recipients are located.

What happens if a subscriber's phone number gets reassigned to a new person?

If you text a reassigned number, you've contacted someone who never consented. The TCPA treats this as a violation if the text went out via autodialer. The FCC operates the Reassigned Numbers Database, which lets you check whether a number has been reassigned since you last had contact with the subscriber. Checking it before campaigns is a practical step, especially for lists older than six months.

Do transactional texts require an opt-in?

Transactional texts (order confirmations, shipping alerts, appointment reminders, one-time PINs) generally require only prior express consent, not the higher standard of prior express written consent required for marketing. A customer giving you their number during checkout and receiving a shipping alert typically sits within implied consent. But if that same text also promotes another product or includes a discount offer, it becomes a marketing text and needs full written consent.

How do I handle opt-outs that come in through email or phone call, not via STOP reply?

Honor them immediately and document them. The FCC's 2023 order confirmed that opt-outs are effective through any reasonable channel, not only STOP replies. Build a process to capture opt-outs from your customer service team, email inbox, and CRM, and sync them to your SMS suppression list. A centralized do-not-contact list that feeds every outreach channel is the right architecture. Texting someone after they called to opt out is exactly the kind of willful violation that triggers $1,500 per-message damages.

Sources

  1. U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA prohibits autodialed texts to cell numbers without prior express consent; statutory damages are $500 per violation, up to $1,500 for willful violations
  2. FCC, Rules and Regulations Implementing the TCPA, 47 C.F.R. § 64.1200: FCC required prior express written consent for marketing texts, including disclosure that consent is not a condition of purchase, and prohibited pre-checked boxes
  3. U.S. Government, Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001: E-SIGN Act establishes that electronic signatures and records satisfy written consent requirements under federal law
  4. Satterfield v. Simon & Schuster, Inc., 569 F.3d 946 (9th Cir. 2009): 9th Circuit established that text messages are 'calls' under the TCPA, confirming TCPA protections apply fully to SMS
  5. Agne v. Papa John's International, Inc., U.S. District Court, Western District of Washington (TCPA settlement, 2013): Papa John's settled a TCPA text-message class action for $16.5 million in 2013
  6. Florida Legislature, Florida Telephone Solicitation Act, Section 501.059, Florida Statutes: Florida's FTSA creates state-level per-text damages for telemarketing violations, including SMS, independent of TCPA
  7. FCC, Reassigned Numbers Database: The FCC operates the Reassigned Numbers Database to help senders check whether a number has been reassigned since they last had contact with a subscriber
  8. European Commission, General Data Protection Regulation (GDPR), Article 7: GDPR requires freely given, specific, informed, and unambiguous consent for processing personal data including phone numbers for marketing
  9. FTC, National Do Not Call Registry: The National Do Not Call Registry requires telemarketers to scrub their lists before calling or texting registered numbers
  10. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the definition of autodialer under the TCPA to devices that use random or sequential number generation, affecting which systems trigger TCPA consent requirements

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit