Last updated 2026-07-10

TL;DR
Uploading an old contact list to an SMS tool without checking consent is one of the fastest ways to draw a TCPA class action. Every contact needs prior express written consent for marketing texts, a documented opt-in source, a scrub against the National DNC Registry, and a clean suppression list. Miss any of those and each text costs $500 to $1,500.
Why uploading old contacts into an SMS tool is so risky under TCPA
The Telephone Consumer Protection Act, 47 U.S.C. § 227, makes it unlawful to text a person using an automatic telephone dialing system without prior express consent [1]. Most SMS marketing platforms qualify as an ATDS under the FCC's rules. That definition has been fought over in court since the Supreme Court's 2021 ruling in Facebook v. Duguid, but the practical risk has not gone away.
Here is the core problem. A contact list you collected six months ago, inherited from a CRM migration, or bought from a data broker almost never has the right kind of consent attached to it. The TCPA does not care that you meant well. It cares about what the person agreed to, in what format, and when.
Marketing texts require "prior express written consent" under 47 C.F.R. § 64.1200(a)(2) [2]. That is a higher bar than informational texts. The consent record has to include the consumer's electronic or written signature, the phone number they agreed to be reached at, and a clear disclosure that they agree to receive autodialed or prerecorded marketing messages. If your old CRM has a field that says "newsletter opt-in: yes" and nothing else, that is not consent for SMS marketing.
The damages add up fast. A single non-compliant blast to 10,000 contacts is theoretical exposure of $5 million to $15 million at the $500 to $1,500 statutory range [1]. That math is why companies like UnitedHealthcare ended up paying $2.5 million over alleged TCPA violations [see /articles/tcpa-basics/unitedhealthcare-to-pay-2-5m-for-alleged-tcpa-violations], and why text message marketing programs live and die on consent hygiene.
What counts as valid prior express written consent for SMS marketing?
Valid consent is an agreement the person signed, in writing or electronically, that clearly authorizes you to send marketing texts to a specific number using an autodialer. The FCC set that standard in its 2012 order (FCC 12-21) [7]. The word "written" is broad. An electronic form submission counts. A checked checkbox counts. A text-to-join confirmation counts.
What does not count: a pre-checked box, a buried disclosure in 6-point font at the bottom of a 40-page terms document, or an oral yes with no paper trail.
The consent also has to be specific to SMS marketing. If someone signed up for email newsletters only, you do not have SMS consent. If they agreed to transactional alerts about their account, you do not automatically have consent to send promotions. These distinctions come up in litigation constantly.
The FCC's 2023 one-to-one consent rule (FCC 23-107) tightened things further by requiring that consent be obtained for a single identified seller, not for an entire lead generation ecosystem [3]. If your list came through a shared opt-in form that named a dozen companies, you may not have valid consent anymore even if you thought you did when you collected it.
Before you upload a single contact, you need to answer yes to all of these for each record. Did this person affirmatively agree to receive SMS marketing from my company specifically? Did they provide a clear electronic or written signature? Do I have a timestamped record of it? Can I produce that record in discovery if I have to?
The 12-step TCPA checklist before you import contacts into an SMS platform
Work through this list in order. Steps 1 through 5 cover consent. Steps 6 through 9 cover scrubbing. Steps 10 through 12 cover documentation and ongoing hygiene.
Step 1: Identify the original consent source for every record. For each contact, you need to know exactly where and how they opted in. A web form? A paper form at a trade show? A text-to-join campaign? A verbal agreement at point of sale? If you cannot answer that for a record, the record does not go into your SMS platform. Period.
Step 2: Verify the consent was specific to SMS marketing. Email consent is not SMS consent. Phone consent for informational alerts is not marketing SMS consent. Pull the original form language or confirmation message and confirm it explicitly covers marketing texts via ATDS.
Step 3: Check that consent was not obtained through a pre-checked box. Affirmative opt-in is required. A box checked by default and never unchecked fails the affirmative action test [2].
Step 4: Apply the one-to-one consent rule. After January 2025, a shared consent form that named your company among ten others does not give you valid consent [3]. If your contacts came through a lead aggregator or co-registration form, get legal advice before uploading them.
Step 5: Check consent age. The FCC and courts have not set a hard expiration date on TCPA consent. But common practice in compliance circles (and some state laws) treats consent as stale after 18 to 24 months of no contact. If a contact opted in three years ago and has never heard from you, require a fresh opt-in before you text them.
Step 6: Scrub against the National Do Not Call Registry. Even with valid TCPA consent, contacts on the National DNC Registry cannot get telemarketing calls or texts from organizations they have no established business relationship with [4]. The FTC charges registration and list access fees. Use a compliant scrubbing service or pull directly from the DNC registry.
Step 7: Scrub against your own internal suppression list. Every prior opt-out from any channel, whether someone texted STOP, called to complain, or sent a written request, has to live in a suppression list that gets applied at every upload. This is your first line of defense.
Step 8: Run a reassigned numbers check. The FCC's Reassigned Numbers Database (RND) launched in 2021 [5]. A number that belonged to your consenting customer six months ago may now belong to a stranger. Texting that stranger without consent is a violation. Use the RND.
Step 9: Verify numbers are wireless, not landline. TCPA consent rules for autodialed texts apply to wireless numbers. A landline cannot receive texts, and including them wastes credits and causes delivery failures that skew your metrics. Use a phone number validation service to tag wireline versus wireless before upload.
Step 10: Format your consent records for auditability. Every record should carry an associated consent record capturing the opt-in source (form URL or campaign ID), the timestamp with timezone, the IP address or device ID, and the exact disclosure language the person saw. Store it somewhere you can retrieve within 48 hours if opposing counsel calls.
Step 11: Map your data fields to the platform's compliance fields. Many SMS platforms have native fields for consent date, opt-in source, and channel. Map your data into those fields on upload, not into a custom notes field. Platform-level suppression logic often reads only from standard fields.
Step 12: Set up a post-upload validation workflow. After the import, pull a random sample of 50 to 100 records and manually verify their consent records. If more than 5% have gaps, stop and fix the source data before your first send.
What about contacts you imported from a purchased list?
Do not import them. That is blunt, I know. But purchased lists are where TCPA class actions come from.
The TCPA requires consent from the called party, not from the list vendor [1]. A data broker saying "these are opted-in" in their contract does not transfer consent to you. If those contacts did not specifically agree to receive SMS marketing from your company, you have no TCPA cover no matter what you paid.
You can technically use purchased numbers if you collect fresh consent before texting. But that means you cannot text them until they opt in to your program. At that point you are building a new list from scratch using those numbers as a starting point, which is not the same as importing them into an SMS tool for marketing.
The Cash App TCPA class action settlement and the Albertsons Safeway TCPA settlement are useful studies in what happens when consent records are thin or sourced through third-party arrangements. Those settlements ran into the millions.
If your budget is tight and you are tempted to buy a list and blast it, run the math first. At $500 per violation in a class action, a list of 50,000 contacts with questionable consent is $25 million of exposure. No lead generation ROI justifies that.
How does the FCC's 2025 one-to-one consent rule change list uploads?
The FCC's Report and Order in FCC 23-107 requires that prior express written consent for marketing calls and texts come from a single seller on a website or form, not from a page listing dozens of partner companies [3]. The rule took effect January 27, 2025.
For list uploads, the impact is large. Any contacts you collected through a shared lead form before January 2025, or through a co-registration partner that listed multiple sellers, need to be re-evaluated. The FCC's intent was to end the practice of one consumer checking one box and then getting texts from 50 different companies that all claimed that box as their consent.
If your CRM was fed by lead gen partners or insurance comparison sites, you likely have a segment that no longer has valid consent. Move those contacts to a suppression list, or run them through a re-consent campaign on another channel (email, if you have valid email consent) before you ever text them.
The TCPA news through 2025 has focused heavily on enforcement of this rule. Treat any pre-2025 third-party opt-in as suspect until you verify the original form language.
What does a compliant consent record actually look like?
A compliant record captures the opt-in source, an exact timestamp, the IP address, the disclosure text the person saw, and confirmation of scrubbing. Here is what you want in your database for each contact before upload:
| Field | Example value |
|---|---|
| Phone number | +15085551234 |
| Opt-in source URL | https://yourdomain.com/free-quote-form |
| Opt-in timestamp | 2024-11-03 14:22:07 UTC |
| IP address at opt-in | 98.112.44.201 |
| Form disclosure text seen | "By submitting this form, you agree to receive marketing text messages from [Company] at the number above. Msg & data rates may apply. Reply STOP to opt out." |
| Double opt-in confirmation sent | Yes, 2024-11-03 14:22:12 UTC |
| Reassigned number check date | 2025-06-15 |
| DNC scrub date | 2025-06-15 |
| Internal suppression checked | Yes |
If any of those fields are blank, the record is not upload-ready.
Double opt-in, where you send a confirmation text asking the person to reply YES before you start sending marketing messages, is not required by the TCPA. But it is probably the single best thing you can do for your consent documentation. It creates a second record of the person's agreement and proves the number was active and in their possession at that moment. Most serious SMS compliance programs run double opt-in by default.
How often do you need to re-scrub a list after the initial upload?
Scrub against the National DNC Registry at least every 31 days. The FTC's Telemarketing Sales Rule sets that interval for organizations accessing the registry [4], and most SMS compliance professionals treat it as the floor for text marketing too.
For reassigned numbers, the FCC's safe harbor for the RND protects you only if you check the database before each call or campaign [5]. Once a month is the minimum. Some high-volume programs scrub weekly.
Internal suppression lists get applied in real time, not on a schedule. If someone texts STOP at 9 a.m., they cannot get a text at 10 a.m. The TCPA has no grace period for opt-outs. Honor them immediately.
A reasonable re-scrub calendar for an active program looks like this: DNC scrub every 30 days, reassigned numbers check before each campaign, internal suppression applied in real time, and a full consent audit on any segment untouched for 12 months before you reactivate it.
What records do you need to keep in case of a TCPA lawsuit?
The first thing plaintiff's counsel requests in discovery is your consent records. "Prior express written consent" is an affirmative defense under the TCPA [1], which means you carry the burden of proving it exists. If you cannot produce the records, you lose the defense.
Keep these for a minimum of four years, which matches the TCPA's statute of limitations:
1. The original consent record for every contact you have ever texted, including form language, timestamp, IP address, and phone number. 2. Your DNC scrub logs showing the scrub date, the vendor or service used, and the results. 3. Your reassigned numbers check logs. 4. Your internal suppression list with timestamps of every opt-out request and how it was honored. 5. Your campaign send logs showing which contacts got which messages and when. 6. Any complaints received and how they were handled.
Store these in a system that cannot be edited without an audit trail. A spreadsheet on someone's laptop is not good enough. A CRM with version history or a purpose-built compliance platform is better.
LeadCompliant's compliance kit includes record-keeping templates and a consent audit worksheet you can adapt to your stack. Running a structured audit before a major upload is a reasonable precaution, not a luxury.
The Credit One TCPA settlement is a good cautionary example. The plaintiffs argued Credit One kept texting after receiving opt-out requests, which goes straight to suppression list management. The Truist Bank TCPA class action settlement similarly centered on consent and documentation failures.
Are there state-level SMS rules that go beyond the TCPA?
Yes, several. The TCPA is the federal floor, not the ceiling.
California's Invasion of Privacy Act (CIPA) has been applied to text messaging in several cases, and California plaintiffs' attorneys file CIPA claims alongside TCPA claims. Florida amended its Mini-TCPA (Florida Telephone Solicitation Act, Florida Statute § 501.059) in 2021 to cover text messages and created a private right of action with damages of $500 per violation for calls or texts sent without consent [6]. Washington and Oklahoma have their own telephone solicitation statutes with consent requirements.
If your list includes Florida residents, treat their records with extra scrutiny. Florida's law does not require an ATDS for liability. It covers any "telephonic sales call" including texts, which means the Facebook v. Duguid ATDS defense that some companies lean on federally does not help you in Florida.
The growing state law patchwork is one reason a consent record showing explicit SMS marketing agreement, with a timestamp and disclosure language, protects you better than trying to guess which federal or state standard applies in any given case.
What are the most common mistakes teams make when uploading contacts to an SMS tool?
After looking at how TCPA cases get built and what plaintiffs typically allege, a few patterns repeat.
Assuming email consent covers SMS. This is the most common error. The channels are legally separate under the TCPA and FCC rules. If your signup form only mentioned email, you do not have SMS consent.
Uploading a list without checking for previous opt-outs. If someone unsubscribed two years ago, deleted their account, or complained to your support team, and that information never made it into your suppression list, you will text them again on upload day. That is how individual plaintiffs and class action attorneys find their cases.
Ignoring the reassigned numbers database. A lot of small teams have never heard of the RND. The FCC launched it in 2021 to give callers a tool for exactly this problem, and there is a safe harbor for callers who use it [5]. Skipping it removes your safe harbor protection.
Treating a verbal opt-in as prior express written consent. The word "written" in the regulation matters. A verbal agreement at a trade show, a handshake, even a phone call where the person said "sure, text me," does not satisfy the written consent requirement for marketing messages.
Uploading the whole CRM because it is faster. The right move is to build a dedicated SMS-consented segment and upload only that. Uploading everyone and planning to sort it out later is how you get a class of 100,000 plaintiffs.
Quick reference: TCPA upload checklist table
Use this table as a final gate before any list import. Every row should say "Done" before you click upload.
| Checklist item | Required for marketing SMS? | Notes |
|---|---|---|
| Consent source identified per record | Yes | Web form, text-to-join, paper form |
| Consent explicitly covers SMS marketing | Yes | More than email or informational texts |
| Affirmative opt-in (no pre-checked boxes) | Yes | FCC requirement |
| One-to-one consent (single named seller) | Yes, for post-Jan 2025 contacts | FCC 23-107 |
| Consent record archived with timestamp and IP | Yes | Affirmative defense in litigation |
| National DNC Registry scrub completed | Yes | Within last 31 days |
| Internal suppression list applied | Yes | Real-time honor required |
| Reassigned Numbers Database check done | Strongly recommended | FCC safe harbor available |
| Number type validated (wireless vs. landline) | Recommended | Avoid wasted spend and errors |
| Purchased list contacts excluded or re-consented | Yes | No transferred consent from brokers |
| State-specific rules checked (Florida, California, etc.) | Yes if applicable | State law can exceed TCPA |
| Consent records stored for 4+ years | Yes | TCPA statute of limitations |
If you run text messaging marketing at any scale, print this table and tape it to the wall near whoever handles your SMS tool admin. Seriously.
Frequently asked questions
Can I import contacts who gave me their phone number on a paper form?
Yes, if the paper form included a compliant disclosure that they agreed to receive marketing texts via autodialed system from your company specifically, and you kept a copy. You will need to digitize and archive those records. A signed paper form satisfies the TCPA's written consent requirement, but you still have to scrub those numbers against the DNC Registry and your suppression list before texting.
Does getting a business card from someone give me consent to text them?
No. Handing over a business card is not a written agreement to receive autodialed marketing texts. It has no disclosure about SMS marketing, and it is not an affirmative opt-in. You would need to obtain a separate, explicit SMS consent from that person before adding them to any automated marketing campaign.
What happens if I text someone who previously opted out and I did not know?
Ignorance of the opt-out is not a defense under the TCPA. If the person opted out of your SMS program and you texted them again, that is a separate violation worth $500 to $1,500. This is exactly why maintaining and applying a real-time suppression list before every upload matters. Courts have held companies liable for post-opt-out texts even when the failure was a database sync error.
How long is TCPA consent valid? Does it expire?
The TCPA does not set a hard expiration date for consent. The FCC has said consent can be revoked at any time, and courts have found that long communication gaps combined with changed circumstances can raise questions about whether consent remained valid. Most compliance attorneys treat consent as potentially stale after 18 to 24 months without contact and require re-consent before resuming.
Is a double opt-in required by the TCPA for SMS marketing?
No, double opt-in is not required by the TCPA. But it is one of the strongest consent documentation tools available. A confirmation text asking the contact to reply YES before they get marketing messages creates a second timestamped record proving the number was active and in their possession. Most serious SMS programs use it by default because it nearly eliminates consent disputes in litigation.
Do I need to scrub against the DNC Registry even if I have valid TCPA consent?
Yes, they are separate obligations. TCPA consent governs whether you can use an autodialer to contact someone. The National DNC Registry governs telemarketing contact more broadly. A contact can give you valid TCPA consent and later register on the DNC list, which supersedes that consent for telemarketing purposes. You have to comply with both frameworks independently.
What is the Reassigned Numbers Database and do I have to use it?
The FCC's Reassigned Numbers Database lets callers verify whether a number has been reassigned to a new subscriber since consent was obtained. Using it is not mandatory, but the FCC created a safe harbor: if you check the RND before contacting a number and it shows no reassignment, you are protected from TCPA liability for that call or text. Skip it and you have no safe harbor defense if you reach a stranger.
Can I use leads purchased from a third-party vendor for SMS marketing?
Generally no, at least not without collecting fresh consent first. The TCPA requires consent from the called party to your specific company. A vendor's contractual claim that a list is opted-in does not transfer valid TCPA consent to you. After the FCC's 2025 one-to-one consent rule, even shared opt-in forms naming multiple sellers are likely insufficient. Purchased contacts who have not consented to hear from you specifically should not go into your SMS tool.
What damages can I face if I upload contacts without proper consent and text them?
The TCPA allows $500 per violation for negligent violations and up to $1,500 per violation for willful or knowing violations (47 U.S.C. § 227(b)(3)). Each text to each non-consenting number is a separate violation. There is no cap on the total, and the TCPA allows class actions. A 10,000-person blast without consent carries theoretical exposure of $5 million to $15 million, which is why TCPA class actions settle for millions regularly.
How does the FCC's one-to-one consent rule from 2025 affect my existing list?
Any contact collected through a shared opt-in form, lead aggregator, or co-registration page that named multiple companies may no longer have valid consent under the FCC's January 2025 rule. Review the original form language for any third-party-sourced contacts. If the form listed multiple sellers, do not upload those contacts to your SMS platform without getting fresh, single-seller consent first.
Do these TCPA rules apply to B2B texts as well as B2C?
The TCPA applies to calls and texts to wireless numbers whether the recipient is a consumer or a business. Courts have generally applied the same consent requirements to B2B texts sent to cell phones. The FTC's DNC Registry has a business exemption for certain B2B calls, but the TCPA's written consent requirement for autodialed marketing texts to cell phones has no clean B2B carve-out. Treat B2B mobile numbers with the same rigor.
What should I do if I already uploaded contacts and sent texts before seeing this checklist?
Stop sending to any contacts whose consent you cannot document. Pull a consent audit immediately: for each contact you messaged, can you produce the opt-in record with timestamp and disclosure language? For those you cannot, add them to your suppression list and do not contact them again via SMS. If you got complaints or opt-out requests and did not honor them promptly, consult a TCPA attorney. Early remediation and documented corrective action matter in litigation.
Are there TCPA-specific rules about the time of day I can send marketing texts?
Yes. The TCPA regulations at 47 C.F.R. § 64.1200(c)(1) restrict telemarketing calls, and the FTC Telemarketing Sales Rule restricts calls, to between 8 a.m. and 9 p.m. local time at the recipient's location. The FCC has applied the same principle to texts. Always send based on the recipient's local time zone, not your own. A 7 a.m. marketing text is a separate violation on top of any consent issue.
How do Florida's SMS rules differ from the federal TCPA?
Florida's Telephone Solicitation Act (Florida Statute § 501.059), amended in 2021, covers texts and does not require an ATDS to trigger liability, unlike the federal TCPA after Facebook v. Duguid. It creates a private right of action with $500 per violation. Florida also has its own state DNC list. If any of your contacts are Florida residents, you cannot rely solely on the ATDS-focused federal framework. Explicit written consent and DNC compliance are required regardless.
Sources
- U.S. Government Publishing Office, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA makes it unlawful to use an ATDS to contact wireless numbers without prior express consent; statutory damages are $500 per violation and up to $1,500 for willful violations
- FCC, 47 C.F.R. § 64.1200 (Rules and Regulations Implementing the Telephone Consumer Protection Act): Prior express written consent required for autodialed marketing texts; must include affirmative consumer signature and disclosure of autodialed/prerecorded nature
- FTC, National Do Not Call Registry: Telemarketers must scrub call lists against the National DNC Registry at least every 31 days
- FCC, Reassigned Numbers Database: FCC launched the Reassigned Numbers Database in 2021; callers who check the database before contacting a number have a safe harbor from TCPA liability for reaching a reassigned number
- Florida Legislature, Florida Statutes § 501.059 (Florida Telephone Solicitation Act, 2021 amendment): Florida's 2021 amendment to the Telephone Solicitation Act extended coverage to text messages and created a $500 per violation private right of action without requiring an ATDS
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the ATDS definition in 2021, but TCPA consent requirements for marketing texts remain in effect
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR restricts telemarketing contact to 8 a.m. to 9 p.m. local time at the recipient's location and requires DNC scrubbing every 31 days
- FCC, 47 C.F.R. § 64.1200(c)(1) (time restrictions on telemarketing calls): Telemarketing calls and texts restricted to 8 a.m. to 9 p.m. local time at the called party's location
- U.S. Court of Appeals for the Eleventh Circuit, Insurance Marketing Coalition Ltd. v. FCC: The Eleventh Circuit reviewed the FCC 23-107 one-to-one consent rule ahead of its January 2025 effective date