SMS marketing delivers incredible results, but it comes with serious regulatory obligations. Unlike email, where the rules are relatively forgiving, SMS is governed by strict federal and state laws that carry significant penalties for non-compliance. The good news is that compliance is straightforward once you understand the rules.
TCPA: The Foundation of SMS Compliance
The Telephone Consumer Protection Act (TCPA) is the primary federal law governing SMS marketing in the United States. Enacted in 1991 and updated several times since, the TCPA establishes clear rules about when and how businesses can send text messages to consumers.
Key TCPA requirements for SMS marketing:
- Prior express written consent: You must obtain clear, documented consent before sending marketing SMS. This means the subscriber must actively opt in — you cannot assume consent from a business relationship, a purchase, or having their phone number.
- Clear disclosure: At the point of opt-in, you must clearly state what type of messages the subscriber will receive, the frequency, that message and data rates may apply, and how to opt out.
- Easy opt-out: Every marketing SMS must include a way to opt out, and opt-out requests must be honored immediately. The standard is replying STOP.
- Quiet hours: Do not send marketing messages before 8 AM or after 9 PM in the recipients local time zone.
TCPA penalties are severe: $500 per unsolicited message, and up to $1,500 per message for willful violations. Class action lawsuits under TCPA are common and have resulted in settlements exceeding $100 million.
10DLC: The New Standard for Business Texting
10DLC (10-Digit Long Code) is the carrier-approved system for sending business SMS over standard phone numbers. As of 2024, all major US carriers (AT&T, T-Mobile, Verizon) require 10DLC registration for any business sending SMS.
The 10DLC registration process involves two steps: brand registration (verifying your business identity with The Campaign Registry) and campaign registration (describing your use case and message types). Approval typically takes 1-5 business days.
Why 10DLC matters: Unregistered traffic faces heavy filtering, throttling, and potential blocking by carriers. Registered 10DLC traffic gets higher throughput, better deliverability, and lower per-message costs. There is no legitimate reason to skip registration.
CTIA Guidelines
The CTIA (Cellular Telecommunications Industry Association) publishes best practices that carriers enforce. Key requirements include: identifying your business in every message, including opt-out instructions, limiting message frequency to what was disclosed at opt-in, and maintaining records of consent.
Building a Compliant SMS Program
1. Design compliant opt-in flows: Your opt-in mechanism must include your business name, message type description, frequency, "Msg & data rates may apply" disclosure, opt-out instructions, and a link to your privacy policy. Whether it is a web form, keyword opt-in, or checkout checkbox, all of these elements must be present.
2. Implement double opt-in: After initial opt-in, send a confirmation message asking the subscriber to reply YES to confirm. This provides an extra layer of consent documentation and ensures the phone number is valid and belongs to the person who opted in.
3. Honor opt-outs instantly: When someone texts STOP (or CANCEL, UNSUBSCRIBE, QUIT, END), immediately suppress their number and send a single confirmation: "You have been unsubscribed. No more messages will be sent. Reply START to resubscribe."
4. Maintain consent records: Keep detailed records of when, where, and how each subscriber opted in. Store the opt-in timestamp, source (web form URL, keyword, etc.), IP address (for web forms), and the exact language of the disclosure they agreed to. These records are your defense in any compliance dispute.
5. Respect quiet hours: Never send marketing SMS before 8 AM or after 9 PM in the recipients local time zone. This means you need to know (or infer) the time zone for every subscriber.
State-Level Regulations
Several states have additional SMS marketing laws that go beyond TCPA requirements. Florida, for example, requires specific consent language and prohibits certain automated messaging practices. Washington state has its own telemarketing regulations. Always check state-specific requirements for your subscriber base.
How Upturn Keeps You Compliant
Compliance should not be something you worry about — it should be built into your tools. Upturn includes automatic opt-out handling, quiet hours enforcement, consent tracking and audit logs, compliant opt-in form templates, 10DLC registration assistance, and real-time compliance alerts. Focus on your marketing strategy while we handle the compliance infrastructure.