Washington state CEMA compliance for SMS outbound teams

Washington's CEMA sets stricter SMS consent rules than TCPA, with penalties up to $25,000 per violation. Here's exactly what outbound teams must do.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-11

Compliance officer reviewing SMS compliance documents at a desk near a rainy Washington window
Compliance officer reviewing SMS compliance documents at a desk near a rainy Washington window

TL;DR

Washington's Commercial Electronic Mail Act (CEMA, RCW 19.190) covers commercial text messages and runs stricter than federal TCPA in several ways. Penalties reach $25,000 per violation under the Consumer Protection Act. Outbound SMS teams need prior express consent, honest sender identification, and a working opt-out before sending a single text to a Washington number.

What is Washington's CEMA and does it apply to SMS?

Washington's Commercial Electronic Mail Act lives at RCW 19.190. It was written for email spam, but the state Attorney General and Washington courts have applied it to commercial text messages, because the statute covers any "electronic mail message" sent to a Washington electronic mail address, and "electronic mail address" has been read broadly enough to include SMS and MMS destinations on mobile devices. [1]

So yes. If your outbound team texts people with Washington area codes, or people you have reason to believe live in Washington, CEMA applies to you. Your company being based in Ohio or Texas changes nothing. The law follows the recipient.

CEMA gets enforced two ways. The Washington Attorney General can bring an action under the Consumer Protection Act (CPA, RCW 19.86), which lets the state collect actual damages or a statutory amount, plus attorney fees. [2] Private plaintiffs can sue under RCW 19.190.040, and when a CPA claim attaches, damages can triple. The $25,000-per-violation ceiling people cite comes from the CPA's per-violation cap for unfair or deceptive acts in trade. [2]

That math gets ugly fast. A batch of 500 texts to people who never consented is not a $500 problem. It's potential eight-figure exposure if a plaintiff's attorney decides to be aggressive.

How is CEMA different from the federal TCPA?

The TCPA (47 U.S.C. § 227) is the federal floor for SMS marketing. CEMA is a separate state law that sits on top of that floor and adds requirements. The two interact. They don't cancel each other out.

Here's where they split in practice:

IssueTCPA (federal)CEMA (Washington)
ScopePhone calls, faxes, SMS to cell numbersCommercial electronic messages incl. SMS to WA recipients
Consent standard for marketing SMSPrior express written consentPrior express consent (writing not always required, but get it in writing anyway)
Opt-out requirementMust honor within 30 daysMust honor promptly; no specific day count in statute
Sender ID disclosureRequiredRequired, including a valid reply-to or contact address
Private right of actionYes, $500-$1,500/messageYes, via CPA; up to $25,000/violation + treble damages
Who can sueRecipientRecipient or WA Attorney General
ATDS requirementYes (complicated post-Facebook v. Duguid)No ATDS element; applies regardless of how messages are sent

That last row matters most. The Supreme Court's 2021 Facebook v. Duguid decision narrowed the TCPA's autodialer definition, which handed some texting platforms an argument that they weren't using an ATDS. [3] CEMA has no such opening. Send a commercial text to a Washington resident and CEMA applies, whether you used a platform, a bulk SMS API, or someone typing manually.

For a deeper look at how the federal side works, see our overview of text message marketing compliance.

What counts as a "commercial" message under CEMA?

CEMA reaches commercial electronic messages, which the statute defines as messages sent primarily to promote a sale, lease, exchange, or other commercial transaction in real property, goods, or services. [1] Transactional messages (order confirmations, shipping updates, password resets) are not commercial under that definition and generally fall outside CEMA.

The line blurs when outbound sales teams send "check-in" texts that look relational but are built to move someone toward a purchase. Courts look at the primary purpose. If a reasonable recipient would read it as a sales pitch, it's commercial. Don't dress up marketing as a friendly follow-up to dodge the statute. That argument loses in court and it makes judges cranky.

What about lead generation texts? If your team is texting people to get them on a call, book a demo, or pull a quote, that's commercial. Full stop.

Washington CEMA: key compliance numbers What the statute and CPA actually allow plaintiffs and the AG to seek $500 Private plaintiff per-viola… (actual damages or statutory $25k CPA treble damages cap per violation $4 Statute of limitations (yea… Source: Washington State Legislature, RCW 19.190 and RCW 19.86

CEMA requires the recipient's prior consent before you send commercial electronic messages. [1] The statute doesn't spell out a detailed consent form the way the FCC's TCPA rules do for autodialers, but "prior" means before the first message, and you need evidence the person agreed to receive texts from you specifically.

Hold yourself to this standard: written consent, tied to the specific phone number, with a clear disclosure that the person will get commercial texts from your company. Verbal consent can satisfy CEMA in theory. You just can't prove it after the fact. One plaintiff says "I never agreed to this," and now you're defending a claim you can't rebut.

The FCC's one-to-one consent rule (effective January 27, 2025) added a federal layer on top: consent has to be obtained on a per-sender basis and can't be aggregated through a lead generation form that lumps in dozens of companies. [4] Washington teams buying through lead aggregators should read that rule carefully. The leads you're paying for may not carry legally sufficient consent under either TCPA or CEMA.

A few things your consent record should capture:

  • The exact language the person saw or heard
  • Date and time of consent
  • The phone number tied to the consent
  • The channel where consent happened (web form, paper form, recorded call)

Keep these records at least four years. Washington's CPA has a four-year statute of limitations. [2]

What must every commercial text message include under CEMA?

RCW 19.190.020 lists the required elements for compliant commercial electronic messages. [1] For SMS, that works out to three things.

1. Clear identification of who sent the message. The recipient needs your company name, more than a short code or a bare number. 2. A valid physical or electronic contact address where the sender can be reached. For SMS that usually means a reply address or a link to a contact page. Best practice is to include your company name plus a way to get more information or ask to stop. 3. An opt-out mechanism that actually works. Tell people how to stop, then honor the request.

The opt-out language doesn't need to be a legal paragraph. "Reply STOP to opt out" is enough if the system truly processes STOP replies and removes the number. What fails: burying opt-out instructions in fine print nobody reads, or running a STOP mechanism that silently breaks.

For high-volume SMS teams, the operational piece matters as much as the legal one. If your platform doesn't automatically suppress opted-out numbers, you will eventually re-text someone who already said stop. That's a violation, and depending on the platform, it can happen at scale before anyone notices.

Are there Washington-specific do-not-contact rules for SMS beyond CEMA?

Yes. Washington layers rules on top of the federal do not call list. The state maintains its own Do Not Call requirements under RCW 80.36.390, administered by the Washington Utilities and Transportation Commission (UTC). [5][10] The state list aims mostly at telephone solicitations, so outbound teams that also do calls alongside SMS should scrub against both the national and Washington state lists.

For pure SMS outreach, the federal National Do Not Call Registry applies to text messages the same way it applies to voice calls, per FTC and FCC rules. [6] Washington residents who registered their numbers still need to have given you prior express written consent under TCPA before you text them for marketing. A DNC registration doesn't override consent you already hold, but the absence of a registration is not consent.

More on managing DNC obligations is in our guide on the do not call telemarketer list.

What are the penalties for violating CEMA?

The penalty structure has two tracks and they stack.

Track one: RCW 19.190.040 gives a private plaintiff the right to sue for actual damages or $500 per violation, whichever is greater. [1] That sounds manageable until you remember each text is a separate violation.

Track two: when the violation also qualifies as an unfair or deceptive act under the Consumer Protection Act (RCW 19.86), the plaintiff can collect treble damages up to $25,000 per violation, plus attorney fees and costs. [2] The AG can also bring its own action.

A campaign that sent 1,000 unconsented texts to Washington residents could expose you to $25 million at the $25,000 ceiling. Nobody expects every case to max out. But plaintiff attorneys know this statute cold, and the threat alone forces settlements. The Cash App TCPA class action settlement and cases like it show how fast class treatment multiplies per-message liability into eight figures.

Most enforcement so far has come through the AG's office rather than class actions, but the private right of action exists and plaintiff firms use it. Assume someone in your contact list knows exactly what CEMA says.

Washington's AG runs an active Consumer Protection Division that handles technology-related consumer cases. [7] High-volume SMS outreach without a documented consent program is the exact profile that triggers an investigation.

How do you build a CEMA-compliant SMS program step by step?

This is the operational section. Here's what a compliant program looks like in practice.

Step 1: Audit your contact list for Washington numbers. Pull every number with a 206, 253, 360, 425, 509, or 564 area code. For each one, ask: do you have documented, affirmative consent to send commercial texts to that number? If the answer is "we bought the list" or "they called us once," that's not consent under CEMA.

Step 2: Suppress anyone without documented consent. Send nothing while you rebuild your consent records. One batch to an undocumented list is already a problem.

Step 3: Build or update your opt-in flow. Every path into your SMS funnel needs a clear consent disclosure: what they're agreeing to, how often they'll hear from you, and how to stop. Have an attorney familiar with Washington consumer protection law review it, more than a generic TCPA template.

Step 4: Configure opt-out handling. STOP, UNSUBSCRIBE, CANCEL, QUIT, END, and HELP are the keywords the FCC expects platforms to handle automatically. [8] Make sure your platform processes all of them, more than STOP. Test it.

Step 5: Keep records. Log consent date, source, and the exact disclosure language for every number. When a plaintiff sues, and some will, your consent records are your defense.

Step 6: Train your team. A rep manually texting from a personal phone creates liability just as fast as an automated platform. CEMA doesn't care whether a human or a machine sent it.

Step 7: Scrub against the national DNC and Washington state list before every campaign. [5][6] Put this in your standard workflow, not a one-time check.

LeadCompliant's compliance kit includes a Washington CEMA audit checklist and consent documentation templates if you'd rather start from something than build from scratch.

For teams doing cold calls alongside SMS, the rules on cold calling add another layer to manage in parallel.

Does CEMA apply if your business is outside Washington state?

Yes. The statute applies when the recipient is in Washington. [1] Courts and the AG apply CEMA based on where the message lands, not where it originates. That tracks how most state consumer protection statutes work.

A company in Florida sending bulk SMS to a purchased list that includes Washington numbers is subject to CEMA for those messages. Not knowing which numbers were in Washington is not a defense. If you run outbound SMS nationally, treat CEMA as a baseline requirement, because you almost certainly have Washington recipients in your list.

A few states have similar laws (Illinois, California, Connecticut), but Washington's CPA gives one of the sharper enforcement mechanisms, because the AG can seek per-violation penalties without proving a class. [2] That makes Washington a higher-priority compliance state than some others with nominally similar statutes.

How does CEMA interact with the FCC's 2024-2025 one-to-one consent rule?

The FCC's one-to-one consent rule, effective January 27, 2025, requires that TCPA consent for marketing calls and texts be specific to a single seller, obtained on a webpage directly related to that seller's products or services. [4] You can no longer get a consumer to check one box on a lead generation form that shares their consent with 50 companies.

For Washington teams this matters two ways: it tightens federal consent standards in a direction CEMA already pointed, and it creates a documentation problem for anyone buying leads from aggregators.

Buying leads from a third-party generator? You need to verify their opt-in flow meets both the FCC's one-to-one rule and CEMA's prior consent requirement. The FCC's Second Report and Order (FCC 23-107) spoke directly to lead generation. The Commission stated that consent "must be signed and be unambiguous, meaning the consumer must clearly agree to receive calls or texts from a specific seller." [4] List-based consent transfers no longer satisfy the federal standard.

Some aggregators updated their forms after January 2025. Many didn't. Ask for a copy of the actual consent disclosure language before you text anyone from a purchased list.

What records do you need to keep and for how long?

Washington's Consumer Protection Act has a four-year statute of limitations, so a plaintiff can sue up to four years after the violation. [2] Your records need to cover that window.

At minimum, keep:

  • Consent records: date, phone number, source (URL or call recording), and the exact disclosure text shown or spoken
  • Opt-out logs: date and time each number requested removal, and confirmation it was suppressed
  • Message logs: what went out, to whom, when
  • Suppression list: the running list of opted-out numbers, with dates

Store these in a system you can actually search. A spreadsheet in someone's Google Drive is not a compliance program. If you're served with a subpoena or a CID (civil investigative demand) from the AG's office, you need to produce these records fast and complete.

Using a third-party SMS platform? Confirm in writing that it retains logs and for how long. If the platform purges logs after 90 days and you get sued in year three, you have a problem.

Is there a safe harbor under CEMA for mistakes?

Not a broad one. CEMA has no explicit bona fide error safe harbor the way some other statutes do. The closest protection you have is being able to show documented prior consent and a working opt-out process. If a message slipped through despite a functioning compliance program, that's a far better defense than "we didn't know."

The Washington AG's office has shown some willingness to focus on egregious or high-volume violators rather than chase companies with a stray message or two. That's prosecutorial discretion, not a statutory guarantee, and it does nothing to protect you from private plaintiffs.

Practical advice: if you find a batch went out without proper consent, document what happened, stop the campaign immediately, and talk to a Washington-licensed attorney before you contact anyone who complained. Self-reporting has sometimes helped in AG negotiations, but that's a judgment call with legal stakes that needs a real lawyer, not a compliance blog.

This article is not legal advice. If you're facing an active complaint or AG inquiry, contact a licensed attorney familiar with Washington consumer protection law.

Frequently asked questions

Does CEMA apply to B2B text messages sent to Washington businesses?

CEMA covers commercial electronic messages sent to Washington recipients broadly, and courts have applied it to messages sent to individuals even in a business context if the recipient is a natural person. Pure business-to-business messages sent to a corporate address (not an individual's number) sit in a gray zone, but texting a specific employee's cell for commercial purposes creates CEMA exposure. Get consent either way.

Can I text Washington residents if they gave me their number on a web form?

Only if the form included a clear disclosure that by submitting their number they were consenting to receive commercial text messages from your company specifically. A generic contact form with no SMS disclosure doesn't satisfy CEMA or the FCC's one-to-one consent rule. The disclosure has to be conspicuous, not buried in terms of service, and it must name your company, not "partners" or "affiliates."

What opt-out keywords does my SMS platform need to recognize for CEMA compliance?

CEMA requires a functional opt-out mechanism but doesn't list specific keywords. The FCC's TCPA rules expect platforms to process STOP, UNSUBSCRIBE, CANCEL, QUIT, END, and HELP at minimum. Since CEMA violations often run alongside TCPA exposure, configure your platform for all of these. Test each one. A STOP reply that doesn't actually suppress the number is a violation waiting to happen.

How long does Washington's CEMA give me to honor an opt-out request?

CEMA says opt-outs must be honored but doesn't state a specific number of days. The TCPA requires honoring opt-out requests within 30 days. As a practical matter, your platform should suppress the number immediately or within the same business day. Waiting 30 days to honor a STOP is technically inside TCPA limits but creates needless risk under CEMA's prompt-handling expectation.

Is Washington's state do-not-call list separate from the federal DNC registry?

Yes. Washington maintains its own requirements under RCW 80.36.390, administered by the Washington Utilities and Transportation Commission. The federal National Do Not Call Registry is separate and run by the FTC. Scrub against both before any outbound campaign that includes voice calls. For SMS specifically, the national registry applies; the state list is primarily for telephone solicitations, but scrubbing it costs nothing and cuts risk.

Can a Washington resident sue me individually under CEMA or does it have to be a class action?

A single Washington resident can bring an individual lawsuit under RCW 19.190.040 and attach a Consumer Protection Act claim. Individual suits are common, more common than class actions. The mix of $25,000-per-violation CPA penalties and mandatory attorney fees makes individual suits economically viable for plaintiff attorneys even on small campaigns. You don't need thousands of plaintiffs for this to hurt.

Do transactional texts like appointment reminders need CEMA consent?

Transactional messages (appointment reminders, order confirmations, shipping notifications, two-factor codes) are generally not commercial under CEMA because they don't primarily promote a sale. You still need a basis to have and use the person's phone number, and any marketing content embedded in a transactional message can turn it commercial. Keep transactional and promotional texts strictly separate.

What happens if I buy a lead list that includes Washington numbers without valid consent?

Texting those numbers makes you the sender, and you bear CEMA liability even if the vendor promised the leads were opted in. The FCC's 2025 one-to-one consent rule adds a federal layer: consent must be specific to you as the sender, not bundled across multiple companies. Before texting any purchased lead, verify the exact opt-in language and confirm it names your company. If you can't verify it, don't send.

Does the Facebook v. Duguid ruling help outbound teams avoid CEMA?

No. The Supreme Court's 2021 Facebook v. Duguid decision narrowed the TCPA's autodialer definition, giving some texting platforms an argument that they don't trigger TCPA's prior express written consent requirement. CEMA has no autodialer element at all. It applies to any commercial text sent to a Washington recipient regardless of the technology used. Duguid is irrelevant to your CEMA exposure.

At minimum: your company name, a statement that the person is consenting to recurring commercial text messages from you, the approximate message frequency, that message and data rates may apply, and how to opt out. Something like: "By submitting this form, you agree to receive marketing text messages from [Company Name] at the number provided. Message frequency varies. Reply STOP to opt out. Msg & data rates may apply." Get a Washington-licensed attorney to review the final language.

Can the Washington Attorney General investigate my SMS program without a consumer complaint?

Yes. The AG's Consumer Protection Division can start investigations on its own, issue civil investigative demands (CIDs), and bring enforcement actions without waiting for individual complaints. The AG has broad investigative authority under RCW 19.86.110. High-volume SMS campaigns with no documented consent program are the pattern that draws proactive enforcement rather than reactive complaint handling.

How does CEMA treat SMS sent through a shared short code versus a dedicated number?

CEMA doesn't distinguish between short codes, toll-free numbers, and 10-digit long codes. The legal requirements are identical regardless of number format. That said, shared short codes create a practical problem: if another company on the same short code draws complaints, your traffic can get flagged too. Carriers have pushed hard away from shared short codes for exactly this reason, and most major carriers now restrict them.

Are there any industries exempt from CEMA's requirements?

CEMA doesn't carve out specific industries the way some states do for insurance or financial services. Any business sending commercial text messages to Washington recipients is subject to it. The CAN-SPAM Act preempts some state email laws, but Washington courts have found CEMA's SMS application isn't preempted, because CAN-SPAM explicitly covers electronic mail and doesn't preempt state laws prohibiting falsity or deception in electronic messages.

Sources

  1. Washington State Legislature, RCW 19.190 (Commercial Electronic Mail Act): CEMA covers commercial electronic messages including SMS sent to Washington recipients, requires prior consent, sender identification, and a working opt-out mechanism, and provides a private right of action for $500 per violation or actual damages.
  2. Washington State Legislature, RCW 19.86 (Consumer Protection Act): Washington's Consumer Protection Act allows treble damages up to $25,000 per violation, plus attorney fees, with a four-year statute of limitations; the AG can bring independent enforcement actions.
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021) (opinion index): The Supreme Court narrowed the TCPA's autodialer definition to require random or sequential number generation; this limitation does not apply to CEMA, which has no autodialer element.
  4. Washington Utilities and Transportation Commission (Do Not Call Program, RCW 80.36.390): Washington maintains a state Do Not Call program under RCW 80.36.390 administered by the UTC, separate from the federal National Do Not Call Registry.
  5. FTC, National Do Not Call Registry: The National Do Not Call Registry applies to text messages as well as voice calls; the FTC enforces the Telemarketing Sales Rule, and FCC rules extend DNC obligations to SMS marketing.
  6. Washington State Attorney General, Consumer Protection Division: The Washington AG's Consumer Protection Division has authority to initiate investigations and bring enforcement actions under RCW 19.86.110 without individual consumer complaints.
  7. 47 U.S.C. § 227 (Telephone Consumer Protection Act): The TCPA provides a private right of action for $500 to $1,500 per violation for unsolicited calls and texts to cell phones, and requires prior express written consent for autodialed marketing messages.
  8. Washington State Legislature, RCW 80.36.390 (Telephone Solicitation): Washington's telephone solicitation statute establishes the state's own do-not-call requirements, which apply to telephone solicitations made to Washington residents.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit