← Back to Blog April 2026 · 12 min read

SMS Compliance in 2026: TCPA, 10DLC & Consent Rules Explained

Fines for non-compliant texts can reach $1,500 per message. This guide covers every rule you need to follow — in plain English — so you can text your customers confidently and legally.

SMS marketing is one of the most effective channels available — but it's also one of the most regulated. The Telephone Consumer Protection Act (TCPA), carrier-level 10DLC requirements, and state-specific privacy laws all apply to business text messaging. Get it wrong, and you're looking at fines, carrier filtering, or even lawsuits.

The good news: compliance isn't complicated once you understand the rules. Let's walk through everything you need to know.

1. The TCPA: Federal Law That Applies to Every Text

The Telephone Consumer Protection Act is the foundational law governing business text messages in the United States. Here's what it requires:

Prior Express Written Consent

Before you send any marketing text, you must have prior express written consent from the recipient. This means the person must have taken a clear action to opt in — like texting a keyword, filling out a web form, or checking a checkbox. Verbal consent is not enough for marketing messages.

What counts as valid consent:

  • Texting a keyword like "JOIN" to your number
  • Filling out an online form with a clear disclosure that they'll receive marketing texts
  • Checking an unchecked checkbox (pre-checked boxes don't count)
  • Writing their phone number on a paper sign-up form with SMS disclosure language

Time-of-Day Restrictions

You may only send marketing texts between 8:00 AM and 9:00 PM in the recipient's local time zone. Sending a text at 9:01 PM is technically a violation — and plaintiffs' attorneys know it.

Identification

Every marketing text must identify who is sending it. Include your business name in every campaign message.

Opt-Out Honoring

Recipients must be able to opt out at any time by replying STOP (or similar keywords). You must honor opt-outs immediately — the next message they receive should be a confirmation, and nothing after that.

⚠️ Penalty for Violations

$500 per unsolicited message, tripled to $1,500 per message for willful violations. A single campaign to 10,000 contacts could mean $15 million in exposure.

2. 10DLC: Carrier-Level Registration

10DLC (10-Digit Long Code) is a carrier-imposed system that requires businesses to register their brand and messaging campaigns before sending texts from a standard phone number. This isn't a law — it's a requirement set by AT&T, T-Mobile, and Verizon.

How 10DLC Works

  1. Brand Registration: You register your business (name, EIN, address, industry) with The Campaign Registry (TCR).
  2. Campaign Registration: You describe your use case — what kind of messages you'll send and to whom.
  3. Vetting & Trust Score: TCR assigns your brand a trust score based on business size, history, and verification. Higher scores = higher throughput limits.
  4. Carrier Approval: Carriers review your campaign and either approve or reject it.

What Happens Without 10DLC?

Messages sent from unregistered 10DLC numbers face heavy filtering. Carriers may block your messages entirely, charge surcharges, or rate-limit your throughput to a crawl. In 2026, unregistered A2P traffic on long codes is effectively dead.

Toll-Free as an Alternative

Toll-free numbers (800, 888, etc.) have their own verification process separate from 10DLC. They're simpler to set up and support higher throughput out of the box. IgniteSMS's Standard plan uses toll-free numbers, so you can start sending immediately while your 10DLC registration processes.

3. Building a Compliant Opt-In Flow

A proper opt-in flow protects you legally and builds a higher-quality subscriber list. Here's the anatomy of a compliant flow:

Step 1: Clear Disclosure

Before the person opts in, they must see disclosure language that explains:

  • They're consenting to receive marketing text messages
  • Your business name
  • Message frequency (e.g., "up to 4 messages per month")
  • That message and data rates may apply
  • How to opt out (reply STOP)
  • Links to your privacy policy and terms of service

Step 2: Confirmation Message

After opt-in, send a confirmation text that includes your business name, what they signed up for, frequency, and STOP instructions. Example:

IgniteSMS: You're subscribed to marketing updates from [Business Name]. Up to 4 msgs/mo. Reply STOP to opt out. Msg&data rates apply.

Step 3: Record Keeping

Keep records of every opt-in: the phone number, the method (keyword, web form, paper), the timestamp, and the exact disclosure language shown. If someone files a TCPA complaint, this is your defense. IgniteSMS automatically logs all opt-in and opt-out events with timestamps.

4. Opt-Out Handling

The industry-standard opt-out keywords are STOP, UNSUBSCRIBE, CANCEL, END, and QUIT. When a recipient sends any of these, you must:

  1. Stop sending messages immediately
  2. Send one final confirmation: "You've been unsubscribed. No more messages will be sent. Reply START to re-subscribe."
  3. Never message that number again unless they re-opt in

IgniteSMS handles opt-out processing automatically at the platform level, so you don't have to worry about missing a STOP message.

5. State-Level Laws to Watch

Several states have their own texting and privacy laws that layer on top of the TCPA:

  • Florida (FCCPA): Requires opt-in consent specifically for texts, even stricter than TCPA in some areas. Limits texting hours to 8 AM – 8 PM.
  • California (CCPA/CPRA): Gives consumers the right to know what data you collect and to request deletion. Your SMS subscriber list is considered personal data.
  • Oklahoma & Maryland: Have their own mini-TCPA laws with additional requirements.

When in doubt, follow the strictest applicable rule. If Florida says 8 PM cutoff and TCPA says 9 PM, use 8 PM for Florida numbers.

6. Content Restrictions

Carriers filter certain content types aggressively. Avoid these in your campaigns:

  • SHAFT content: Sex, Hate, Alcohol, Firearms, Tobacco — heavily filtered or banned on most carrier networks
  • Deceptive claims: "You've won!" or "Free money" triggers spam filters
  • URL shorteners: bit.ly and similar short links are flagged. Use branded or full-length URLs
  • All caps: Writing in ALL CAPS increases carrier filtering risk

7. How IgniteSMS Keeps You Compliant

IgniteSMS was built with compliance as a core feature, not an afterthought:

  • Automatic opt-out processing — STOP, UNSUBSCRIBE, CANCEL, END, and QUIT are handled instantly at the platform level
  • Consent tracking — every opt-in is logged with timestamp, method, and source
  • 10DLC registration assistance — we walk you through brand and campaign registration
  • Toll-free verification — Standard plan numbers are pre-verified for immediate sending
  • Quiet hours enforcement — schedule campaigns with time-zone awareness
  • QR code & keyword opt-in tools — built-in tools to create compliant opt-in flows

Quick Compliance Checklist

  • ✅ Have written consent before sending marketing texts
  • ✅ Include business name in every message
  • ✅ Only text between 8 AM – 9 PM recipient's time (8 PM for FL)
  • ✅ Honor STOP requests immediately and automatically
  • ✅ Register your brand and campaign for 10DLC
  • ✅ Keep opt-in records (method, timestamp, disclosure)
  • ✅ Send a confirmation message after every opt-in
  • ✅ Include opt-out instructions periodically
  • ✅ Avoid SHAFT content, URL shorteners, and ALL CAPS
  • ✅ Link to your privacy policy and terms of service

The Bottom Line

SMS compliance isn't optional — but it's also not hard. Get proper consent, honor opt-outs, register with 10DLC, and use a platform that handles the technical details for you. IgniteSMS automates the most error-prone parts of compliance so you can focus on writing great messages.

Stay Compliant from Day One

IgniteSMS handles opt-outs, consent tracking, and 10DLC registration. Start your free trial today.

Start Free Trial