Home » SMS Marketing » TCPA Compliance

TCPA Compliance Guide for SMS Marketing

The Telephone Consumer Protection Act (TCPA) is the primary federal law governing text message marketing in the United States. It requires businesses to obtain express written consent before sending marketing text messages, honor opt-out requests immediately, and follow specific rules about message content and timing. Violations carry penalties of $500 to $1,500 per message, and class action lawsuits from TCPA violations regularly result in multi-million dollar settlements. Understanding and following TCPA rules is not optional if you send commercial text messages.

What the TCPA Requires

The TCPA was originally passed in 1991 to regulate telemarketing calls, and has been updated multiple times to cover text messages. The core requirements for SMS marketing are:

Prior express written consent: Before you send any marketing text, the recipient must have agreed in writing (which includes electronic forms) to receive text messages from your specific business. A general "terms of service" checkbox does not count. The consent must clearly state that the person agrees to receive marketing messages via text, identify your business by name, and disclose that message and data rates may apply.
Clear identification: Every marketing message must identify who is sending it. Recipients should know which business is texting them.
Opt-out mechanism: Every message must include a way to stop receiving messages. The standard is supporting the STOP keyword, which most carriers require anyway. When someone texts STOP, you must stop sending immediately, not after the current campaign ends, not after a confirmation, immediately.
Time restrictions: Marketing texts cannot be sent before 8:00 AM or after 9:00 PM in the recipient's local time zone. This means you need to know or reasonably determine the time zone for each number.

Express Written Consent: What Counts

This is where most TCPA violations happen. The consent requirement is strict, and courts have not been lenient with businesses that cut corners. Valid consent requires all of these elements:

The person fills out a form, checks a box, or sends a keyword to your number, and the form clearly states they will receive marketing text messages
The consent mentions your business name specifically
The consent discloses the approximate frequency of messages (e.g., "up to 4 messages per month")
The consent states that message and data rates may apply
The consent is not a condition of purchase (you cannot require someone to agree to texts in order to buy something)
You keep a record of the consent: when it was given, how, and the exact language the person agreed to

Double opt-in adds an extra layer of protection. After someone submits a form, you send a single confirmation text asking them to reply YES to confirm. This creates an additional record of consent from the actual phone number. While not legally required, double opt-in is strongly recommended because it proves that the person who owns the phone number (not just someone who typed it into a form) actually agreed to receive messages.

See How to Set Up Proper SMS Opt-In and Opt-Out for implementation details and SMS Consent Requirements: Express vs Implied for the different consent standards.

What Counts as a Marketing Message

The TCPA distinguishes between marketing messages (which require express written consent) and informational or transactional messages (which require only prior express consent, a lower standard). The distinction matters because it affects what consent you need.

Marketing messages include promotions, sales, discounts, new product announcements, re-engagement campaigns, and anything designed to encourage a purchase. These require express written consent.

Transactional messages include order confirmations, shipping notifications, appointment reminders, account alerts, two-factor authentication codes, and responses to customer inquiries. These require prior express consent (which can be implied by giving you their phone number in a business context) but do not require written consent.

The line between the two can be blurry. An appointment reminder that also includes "mention this text for 15% off your next visit" is a marketing message. An order confirmation that includes "check out our new arrivals" is a marketing message. If a message has any marketing content, treat it as a marketing message and apply the stricter consent standard.

Penalties and Enforcement

TCPA violations carry statutory damages of $500 per unsolicited message. If the violation is found to be willful or knowing, the penalty triples to $1,500 per message. These are per-message penalties, not per-campaign. A campaign of 10,000 messages sent without proper consent creates exposure of $5 million to $15 million.

Enforcement comes from two sources. The FCC can investigate and fine businesses directly. More commonly, private plaintiffs file individual or class action lawsuits. The TCPA has a private right of action, meaning any person who receives an unsolicited text can sue. Plaintiff attorneys actively seek TCPA cases because the statutory damages make them profitable even for small class sizes.

Recent TCPA settlements include cases ranging from $2 million to over $100 million. Courts have rejected defenses like "we thought we had consent," "the person gave us their number at checkout," and "our vendor handled compliance." You are responsible for consent regardless of what tools or vendors you use.

This guide covers the federal TCPA. Many states have their own texting laws that add requirements beyond the federal baseline. Florida, for example, requires specific caller ID information and restricts texting hours further. Check the laws in every state where your recipients are located. See SMS Marketing Laws: What You Can and Cannot Send for state-level details.

TCPA Compliance Checklist

1. Consent collection.
Every phone number in your list has documented express written consent for marketing messages. Your signup forms include the required disclosure language. Consent records (timestamp, source, language agreed to) are stored and retrievable.

2. Opt-out handling.
Your system processes STOP replies automatically and removes the number from all future sends immediately. You also handle common variations: STOP, QUIT, END, CANCEL, UNSUBSCRIBE. See How to Handle STOP and Unsubscribe Requests Automatically.

3. Time zone compliance.
Marketing messages only send between 8 AM and 9 PM in the recipient's local time zone. Your sending system accounts for time zones, not just your own business hours. See Best Times to Send SMS Marketing Messages.

4. Message content.
Every marketing message identifies your business and includes opt-out instructions (e.g., "Reply STOP to unsubscribe"). The content matches what the person consented to receive.

5. List hygiene.
Numbers that bounce, complain, or opt out are removed promptly. You do not re-add opted-out numbers. You periodically clean your list to remove invalid numbers. See How to Build an SMS Subscriber List.

6. 10DLC registration.
If you send A2P (application-to-person) messages on 10-digit long codes, your brand and campaigns are registered through the 10DLC system. Unregistered traffic faces heavy filtering and potential blocking by carriers. See 10DLC Registration Guide.

7. Record keeping.
You maintain records of every consent, every opt-out, and every message sent. These records are your defense in any dispute or lawsuit. Keep them for at least six years (the longest state statute of limitations for TCPA claims).

How the Platform Helps With Compliance

The SMS Broadcast app includes several features designed to support TCPA compliance. Opt-out keywords (STOP, QUIT, END, CANCEL, UNSUBSCRIBE) are processed automatically and the number is removed from all future broadcasts. The suppression list prevents opted-out numbers from being accidentally re-added. Scheduling controls respect time zone windows. Carrier lookup identifies the carrier for each number, which helps with routing and filtering.

However, the platform cannot verify your consent. You are responsible for collecting proper consent before uploading numbers, keeping consent records, and ensuring your message content complies with what recipients agreed to receive. No technology can substitute for collecting real consent from real people.

Send compliant SMS campaigns with built-in opt-out handling, carrier routing, and scheduling controls. Manage your entire SMS program from one platform.

Get Started Free

SMS Broadcast App