TCPA regulations for text messages: what you must know in 2025

TCPA text message rules carry fines up to $1,500 per message. Learn consent types, opt-out rules, and how to stay compliant before the FCC's 2025 changes hit.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-10

Person reviewing a text message conversation on smartphone at a desk
Person reviewing a text message conversation on smartphone at a desk

TL;DR

The TCPA (47 U.S.C. § 227) treats most commercial text messages as regulated communications. You need prior express written consent before sending marketing texts, must honor opt-outs within 10 business days, and face statutory damages of $500 to $1,500 per message. The FCC's January 2025 one-to-one consent rule tightened requirements further for lead-gen companies.

What is the TCPA and does it actually cover text messages?

Yes, it covers texts. The Telephone Consumer Protection Act (47 U.S.C. § 227) was enacted in 1991 to stop unwanted calls, and the FCC extended its reach to SMS in 2003 and reaffirmed that reading in later rulings.[1] The statute covers calls or texts made using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to any cellular telephone number.

That ATDS definition has been fought over for years. The Supreme Court narrowed it in Facebook v. Duguid (2021), holding that a system must have the capacity to produce numbers using a random or sequential number generator to qualify as an ATDS.[2] That ruling threw out a lot of broad ATDS claims. It did not end TCPA exposure for text senders. Plaintiff attorneys shifted their theories, and most of today's litigation turns on the written-consent rules rather than the dialer definition. Many blast-SMS tools still store and auto-dial numbers from a list, and courts still disagree on whether that counts.

Do not assume Facebook v. Duguid made you safe. It closed one door and left several open. The FCC keeps rulemaking authority that expands the statute's practical reach, and most text lawsuits now hinge on whether you had proper consent, not what dialer you used.

For a broader look at what qualifies as a marketing text under federal law, see our guide to text message marketing.

Most violations happen right here, and the answer depends on what kind of message you're sending.

The FCC splits consent into two tiers.[3]

Informational texts (no marketing content): Prior express consent. The consumer must have given you their number voluntarily in a context that reasonably shows they expected contact. A customer who hands over a cell number when placing an order has arguably given prior express consent for order-status texts. Lower bar. Still a real bar.

Marketing texts: Prior express written consent. The consumer must have signed (including electronically) a clear and conspicuous disclosure authorizing you to send autodialed marketing texts to that number. The disclosure must name your company and must say consent is not a condition of any purchase. This requirement comes from the FCC's 2012 order and is codified at 47 C.F.R. § 64.1200(a)(2).[3]

The word "written" carries real weight. A verbal opt-in on a recorded call does not meet the written consent standard for marketing texts. A pre-checked box on a web form almost certainly fails too, because both courts and the FCC treat consent as something the consumer must affirmatively give.

Here's the trap that sinks small teams: buying a contact list and assuming the vendor collected compliant consent for you. That assumption is usually wrong. The FCC's January 2025 one-to-one consent rule makes shared consent through a lead aggregator even harder to lean on. Under that rule, adopted in December 2023 and effective January 2025, prior express written consent for marketing calls and texts has to come directly from the consumer to the specific seller placing the call or text.[4] One consent that covers dozens of partner brands is no longer valid.

A lot, if your leads come through aggregators, comparison sites, or any shared lead-gen funnel. If you collect consent directly on your own form, less changes for you.

The FCC's December 2023 Report and Order (CG Docket No. 21-402) requires that consent for autodialed or prerecorded marketing calls and texts be obtained one seller at a time (you cannot bundle consent to 50 partners in a single disclosure) and be logically and topically related to the website or context where the consumer gave it.[4] A person filling out a home insurance quote form has not consented to solar panel texts, even if the fine print once said "and our marketing partners."

The order also aligned written consent requirements more closely with the existing telemarketing consent framework that protects numbers on the do-not-call registry.

This single change broke a large chunk of the shared-consent lead-generation economy. If you relied on purchased or aggregated lists where a third-party site collected one blanket consent, that pipeline needs a rebuild or fresh individual consents before you text those contacts. There is no grandfathering for old consent records that miss the new standard.

Stay current on FCC rulemaking through our TCPA news hub, where we track new orders as they drop.

What are the TCPA's opt-out rules for text messages?

If a consumer texts back STOP (or any reasonable equivalent like UNSUBSCRIBE, CANCEL, or QUIT), you have to stop texting them. The TCPA itself does not set a hard maximum response window for texts the way CAN-SPAM handles email, but the FCC's 2003 TCPA order and standard CTIA carrier guidelines create real obligations.[5] CTIA guidance, which carriers enforce through their messaging policies, calls for opt-out processing within a reasonable timeframe and at most within 10 business days. Most texting platforms handle this automatically.

A few opt-out rules people miss:

  • You may send one confirmatory message after someone texts STOP. You cannot put marketing content in that confirmation.
  • An opt-out from one campaign does not conveniently expire when you launch a separate campaign under the same brand. Honor it across every texting program you run.
  • Texting someone who opted out requires fresh affirmative consent. You cannot restart contact just because they signed up for an unrelated promotion.
  • Carrier filtering actively blocks senders who ignore opt-outs at scale, so beyond the legal risk there is a deliverability hit.

Document everything. If a plaintiff claims you kept texting after they opted out, you want timestamped logs from your platform showing the STOP keyword came in and the number got suppressed.

What are the TCPA penalties per text message?

The statute sets damages at $500 per violation, with treble damages up to $1,500 per violation if the court finds the conduct was willful or knowing.[1] Each text counts as a separate violation.

That math turns brutal fast. One blast to 10,000 contacts without proper consent is $5 million at the $500 floor and $15 million if a court decides you should have known better. Because the TCPA is a strict-liability statute for most violations, plaintiffs do not need to show you caused them actual harm. Texting a number on the National Do Not Call Registry, or texting without written consent, is enough.

Class actions are common because the per-text structure turns small individual harms into enormous class-wide recoveries. Recent settlements show how this plays out. UnitedHealthcare paid $2.5 million to resolve TCPA claims. Credit One Bank faced significant class exposure over similar issues. Albertsons and Safeway settled claims tied to promotional texts. These are not outlier cases. This is the normal outcome when a company texts at scale without airtight consent records.

The FCC can also assess forfeitures on its own under 47 U.S.C. § 503(b), though private class actions are the more common enforcement route in practice.[1]

Violation TypePer-Message Damages
Standard TCPA violation$500
Willful or knowing violationUp to $1,500
State law (e.g., California, Florida)Varies; some states stack on top of federal damages
TCPA text message violation: key numbers Statutory thresholds and compliance deadlines every text sender must know 500 Per-message damages (standa… 1,500 Per-message damages (willfu… 10 Opt-out processing window (… days, CTIA guideline) 4 Statute of limitations for TCPA claims (years) Source: 47 U.S.C. § 227; 47 C.F.R. § 64.1200; CTIA Messaging Best Practices; 28 U.S.C. § 1658

Real exemptions exist, and it pays to know them precisely instead of assuming they cover more than they do.

The FCC has granted exemptions for certain categories of calls and texts made without charge to the consumer:[3]

  • Healthcare texts: Appointment reminders, prescription notifications, and similar messages from HIPAA-covered entities have a limited exemption, subject to conditions that include the message being free to the recipient, containing only the exempted content, and respecting opt-out requests immediately.
  • Financial fraud alerts: Banks can send one-time fraud alerts to account holders without prior express consent, again with conditions.
  • Package delivery notifications: Carriers can send delivery and pickup notifications under a narrow exemption.
  • Emergency texts: Calls or texts made for emergency purposes are exempt.

These exemptions are narrow. The healthcare exemption does not cover marketing texts from a healthcare company. It covers specific operational messages. If your text promotes services, sells products, or invites the consumer into any commercial transaction, assume you need consent no matter your industry.

Texts from tax-exempt nonprofit organizations and political campaigns get their own treatment under the statute, but they are not categorically exempt, especially for mobile numbers.

How does the National Do Not Call Registry apply to text messages?

The National Do Not Call Registry (DNC) is built around telemarketing calls, but the FTC and FCC have both indicated that unsolicited commercial texts can count as telemarketing communications subject to the registry's restrictions.[6] A number on the DNC Registry that gets an unwanted commercial text can expose the sender to liability under both the TCPA and potentially the Telemarketing Sales Rule.

The cleaner framing: if you send commercial texts, scrub your list against the DNC Registry before sending, even if you trust your consent records. It adds a layer of defense and costs almost nothing operationally.

Organization-specific do-not-contact lists matter just as much. If a consumer has already asked your company to stop contacting them, that is an internal DNC obligation that survives regardless of what the national registry says. Companies that skip internal suppression lists stay vulnerable on this point even after they scrub the federal registry.

For a practical walkthrough on stopping unwanted contacts from the consumer side, see our guide on how to stop robocalls.

What TCPA requirements apply specifically to short codes and toll-free texting?

Short codes (5 to 6 digit numbers like 12345) and toll-free numbers are common for high-volume text programs, but they do not get different consent rules under the TCPA. The consent requirements are identical. What changes is how carriers police compliance.

The CTIA (the wireless industry trade group) administers short code compliance through its Short Code Monitoring Handbook and requires documented compliance with opt-in, opt-out, and message content standards before a short code goes live.[5] Carriers can suspend or terminate a short code if it draws excessive spam complaints or STOP keywords, independent of any court action.

Toll-free texting faces similar carrier-level scrutiny through the 10DLC (10-digit long code) registration system. Since 2023, major U.S. carriers require businesses texting on 10-digit numbers to register their brand and campaigns through The Campaign Registry (TCR). Unregistered traffic gets filtered heavily or blocked outright. This is not TCPA compliance. It is a parallel operational requirement that catches a lot of small senders off guard.

Registering with TCR does not make you TCPA compliant. It just lets your messages through the carrier pipes. You still need consent records, opt-out processing, and every statutory requirement on top of carrier registration.

Consent records are your only defense in litigation. Courts put the burden of proving consent on the sender, so if you cannot produce a record showing when and how someone opted in, you have effectively lost that issue before discovery ends.

Good consent documentation includes the timestamp of consent (down to the second, in UTC), the IP address where it was captured, the exact disclosure language the consumer saw, the form version or URL, and any session recording or audit trail from your platform. If consent came through a keyword opt-in by text, log the inbound keyword, the number it came from, and the timestamp.

Store these records for at least four years. The TCPA has a four-year statute of limitations under 28 U.S.C. § 1658, and some state TCPA analogs run longer.[7]

LeadCompliant's free consent checker and compliance kit walk through the specific fields you need to capture and store. That kind of tool is worth running before you set up a new campaign, not after your first cease-and-desist letter arrives.

One documentation trap: if you change the consent language on your web form, version-control it. A plaintiff whose number was collected under an older form can argue the revised language on your site today doesn't match what they agreed to. Keep archived snapshots of every version of your opt-in form.

What do real TCPA settlements tell us about text message compliance failures?

The pattern across major TCPA settlements is consistent to the point of being boring: companies texted at scale, kept weak or nonexistent consent records, and either ignored or slow-walked opt-out requests. The dollars follow straight from those three failures.

The Cash App TCPA class action settlement and the Truist Bank TCPA class action settlement both involved allegations tied to repeated unwanted texts after consumers tried to opt out. The Kaiser TCPA settlement involved healthcare communications that crossed into promotional territory, triggering consent requirements the company apparently couldn't document.

The Albertsons and Safeway settlement is a useful case study for retail text marketing specifically, where promotional SMS programs drew class claims because recipients said they never gave proper consent to receive them.

None of these were fly-by-night operations. They were large companies with legal teams. What went wrong was process. Consent capture wasn't designed to produce defensible records, opt-out handling wasn't instant, or the underlying list hygiene was poor. Small teams that assume size shields them from risk have it backwards. Plaintiffs' firms often prefer smaller defendants because they settle faster.

What state laws stack on top of TCPA requirements for text messages?

Several states have their own telemarketing or privacy statutes that add obligations for text senders, and some run stricter than the federal floor.

California is the most aggressive. The California Consumer Privacy Act (CCPA) and its successor the CPRA give consumers rights over their data that interact with consent practices for marketing texts, especially the right to opt out of data sharing that feeds targeted SMS campaigns.[8] California's Invasion of Privacy Act (CIPA) has also been used as a parallel theory in cases involving automated texting.

Florida's Telephone Solicitation Act (FTSA) was amended in 2021 and briefly created liability for texts sent using an autodialer to Florida numbers without prior express written consent, tracking the TCPA standard but with its own private right of action.[9] The Florida legislature amended the FTSA again in 2023 to require a live agent to start a call or text before automation can continue, which reshaped some plaintiff theories, but the statute still adds exposure for companies texting Florida consumers.

Texas, Oklahoma, and Washington have similar statutes with varying consent standards and damages provisions. If you text consumers nationally, know which states impose obligations beyond the federal baseline. You cannot pick the most permissive state and call it a day, because most of these statutes apply based on where the recipient is located, not where you are incorporated.

See our text messaging marketing article for how to structure campaigns that respect both federal and state requirements.

How do you build a TCPA-compliant text message program from scratch?

Here is what a defensible program looks like in operational terms.

Step 1: Consent capture. Build an opt-in form with a clear, standalone disclosure that names your company, specifies that automated marketing texts may be sent to the number provided, states that consent is not required to purchase, and includes an explicit affirmative action (an unchecked box or a separate signature field). Capture IP, timestamp, and form version.

Step 2: Carrier registration. Register your brand and campaign through The Campaign Registry (TCR) if you're texting on a 10DLC number. Use a registered short code for high-volume programs. Your SMS platform should walk you through this, but verify it's done.

Step 3: List hygiene. Before your first send, scrub the list against the National DNC Registry and your own internal suppression list. Run a phone number lookup to confirm numbers are still active and still assigned to the person who consented. Numbers get recycled, and a new owner of a recycled number has not consented to anything.

Step 4: Message design. Every marketing text has to identify who's sending it. Include opt-out instructions ("Reply STOP to unsubscribe") in every message, or at minimum in the first message of each campaign. Keep the content consistent with what your consent language disclosed.

Step 5: Opt-out handling. Configure your platform to automatically suppress any number that sends STOP, UNSUBSCRIBE, CANCEL, or similar keywords. Confirm suppression worked with your first test send. Audit the suppression list quarterly.

Step 6: Record retention. Keep consent records, send logs, and opt-out logs for at least four years. Store them somewhere your legal team can reach, more than in the dashboard of a vendor you might switch away from.

This is not a complicated program. The companies that get sued usually aren't the ones who tried to build something and got one detail wrong. They're the ones who skipped steps 1 and 5 entirely.

Frequently asked questions

Can I text someone who gave me their number on a business card?

Not for marketing purposes without more. A business card exchange shows the person is open to professional contact, but it does not amount to prior express written consent for autodialed marketing texts under 47 C.F.R. § 64.1200(a)(2). You would need them to affirmatively opt in to promotional texts from your company, with a disclosure that meets the TCPA's written consent standard.

Does the TCPA apply to B2B text messages?

Yes, if the texts go to a mobile number. The TCPA applies based on the type of number (mobile), not the nature of the relationship. Texting a business contact's cell phone with automated marketing messages requires the same prior express written consent as texting a consumer. There is no blanket B2B exemption, though courts have sometimes weighed the commercial context when assessing damages.

How long do I have to honor an opt-out request after someone texts STOP?

Immediately, in practice. CTIA guidelines call for opt-out processing within a reasonable timeframe and no longer than 10 business days. Most compliant texting platforms suppress the number in real time. If your platform has any delay, audit it. Continuing to send after a STOP request is one of the most common facts driving TCPA class action damages, because each later message is a separate violation.

Under 47 C.F.R. § 64.1200(f)(9), prior express written consent is an agreement that clearly authorizes automated marketing calls or texts to a specific number, identifies the seller, and states that consent is not a condition of purchase. It can be captured electronically. A pre-checked opt-in box or generic privacy policy acceptance almost certainly does not qualify.

Can a text message be a TCPA violation if I only sent one message?

Yes. One non-compliant text is one violation. Courts have held that even a single unsolicited marketing text to a cell number without proper consent violates the statute. The $500 per-message floor applies regardless of how many messages went out. Plaintiffs sometimes bring individual claims over one or two texts rather than a class action, especially if they suspect willful conduct.

The FCC adopted the one-to-one consent rule in its December 2023 Report and Order under CG Docket No. 21-402. It took effect in January 2025. The rule requires that prior express written consent for autodialed marketing texts be obtained directly by the specific seller contacting the consumer, not bundled through a shared lead-gen disclosure covering multiple companies.

Do I need to register my texting campaign with carriers?

Yes, if you text on 10-digit long code (10DLC) numbers. Major U.S. carriers require brand and campaign registration through The Campaign Registry (TCR). Unregistered traffic gets filtered or blocked. Short code programs require CTIA compliance vetting. Neither registration replaces TCPA consent requirements. They are parallel obligations enforced at the carrier level rather than through courts.

Not safely. Courts and the FCC have held that responsibility for TCPA compliance sits with the party sending the message. If the vendor's consent records are defective, you bear the liability. The FCC's 2025 one-to-one consent rule makes third-party shared consent even less reliable. If you use purchased or aggregated lists, get indemnification in writing and still plan to re-verify consent independently.

What should my TCPA opt-in disclosure say?

At minimum: the full legal name of your company, that automated marketing text messages will be sent to the provided number, that message and data rates may apply, an approximate message frequency, a link to your privacy policy and terms, and an explicit statement that consent is not required to purchase any product or service. The consumer must take an affirmative action (check an unchecked box or sign) to confirm agreement.

How far back can a plaintiff go when filing a TCPA lawsuit over text messages?

The federal statute of limitations is four years under 28 U.S.C. § 1658. Some state TCPA analogs, like California's CIPA, may run on different windows. In practice, plaintiffs' attorneys often collect evidence of unwanted texts over months before filing, so a campaign you ran three years ago can still be the basis of a current lawsuit if the limitations period hasn't expired.

Are transactional texts like order confirmations covered by the TCPA?

They can be, but the consent standard is lower. Transactional or informational texts require prior express consent rather than prior express written consent. A customer who voluntarily gives their cell number during checkout has arguably given this lower-tier consent for order updates. The risk shows up when transactional messages also carry promotional content, which upgrades them to marketing texts requiring full written consent.

Does texting a reassigned number create TCPA liability even if I had consent from the original owner?

Yes. If a consumer gives you consent and then their number is reassigned to someone new, and you text the new person, that is a potential TCPA violation. The FCC addressed reassigned numbers in a 2018 order and has worked the issue in later rulemaking. The practical defense is real-time number validation before each campaign to flag potentially reassigned numbers and remove them.

Sources

  1. Cornell Law School Legal Information Institute, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA sets statutory damages of $500 per violation, up to $1,500 for willful or knowing violations, and covers calls or texts made using an ATDS to cellular numbers.
  2. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held that an ATDS must have the capacity to produce numbers using a random or sequential number generator; list-based dialing alone does not automatically qualify.
  3. FCC, 47 C.F.R. § 64.1200 (Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991): Prior express written consent is required for autodialed marketing calls and texts to cellular numbers; prior express consent suffices for informational communications.
  4. CTIA, Messaging Principles and Best Practices: CTIA guidelines require opt-out processing within 10 business days and specify opt-in, opt-out, and message content standards for short code and commercial texting programs.
  5. FTC, National Do Not Call Registry: The National Do Not Call Registry restricts telemarketing calls and commercial text messages to registered numbers.
  6. Cornell Law School Legal Information Institute, 28 U.S.C. § 1658 (Statute of Limitations for Federal Statutes): The federal catch-all statute of limitations is four years, applying to TCPA claims where no shorter period is specified.
  7. California Office of the Attorney General, California Consumer Privacy Act (CCPA): The CCPA and CPRA give California consumers rights over personal data used in marketing, including the right to opt out of data sales that enable targeted text campaigns.
  8. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida's FTSA, amended in 2021 and 2023, creates a private right of action for unsolicited automated telemarketing calls and texts to Florida consumers.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit