Compliance Resource

The Complete TCPA Compliance
Guide for SMS Marketing

Everything your business needs to know to send compliant text messages — and avoid lawsuits that can cost $500–$1,500 per message.

Last updated: March 2026 · 20 min read

1. What Is the TCPA?

The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 that regulates telemarketing calls, auto-dialed calls, pre-recorded calls, text messages, and unsolicited faxes. It is the primary law governing SMS marketing in the United States.

The TCPA is enforced by the Federal Communications Commission (FCC) and gives consumers the private right to sue businesses that violate its provisions. For SMS marketers, the TCPA essentially requires that you:

  • Obtain proper consent before sending marketing texts
  • Honor opt-out requests immediately
  • Identify your business in every message
  • Only send messages during appropriate hours
  • Maintain records of consent

Critical: TCPA violations can result in damages of $500 per unsolicited text message, increasing to $1,500 per message for willful violations. A single campaign to 5,000 contacts without proper consent could result in $2.5 million to $7.5 million in liability.

4. Opt-Out Requirements

Providing a clear, easy way to opt out is not optional — it's the law. Here's what you must do:

  • Include opt-out instructions in every marketing message (e.g., "Reply STOP to opt out")
  • Honor opt-outs immediately — within one message. Send a single confirmation text, then stop all messages
  • Recognize standard opt-out keywords: STOP, UNSUBSCRIBE, CANCEL, END, QUIT
  • Never charge for opting out
  • Never require the customer to call, email, or visit a website to opt out — text-based opt-out must always work

Compliant Opt-Out Confirmation

"You have been unsubscribed from [Business Name] messages. You will receive no further texts. Reply START to re-subscribe or contact us at [email] for help."

IgniteSMS handles this automatically: Our platform recognizes STOP, UNSUBSCRIBE, CANCEL, END, and QUIT keywords and immediately removes the contact from future messages.

5. 10DLC Registration

10DLC (10-Digit Long Code) is the industry standard for business-to-consumer (A2P) text messaging using standard local phone numbers. As of 2024, all businesses sending SMS via 10-digit numbers must register with The Campaign Registry (TCR).

Registration involves two steps:

  1. Brand Registration: Register your business identity (name, EIN, website, etc.) — one-time process
  2. Campaign Registration: Register each messaging use case (marketing, customer service, etc.) with sample messages and your opt-in flow

What Happens If You Don't Register?

  • Carriers (AT&T, T-Mobile, Verizon) will block or filter your messages
  • You may face per-message surcharges from $0.003 to $0.01
  • Your delivery rates will drop significantly
  • Your phone number could be permanently blocked

IgniteSMS makes this easy: We guide you through 10DLC registration and handle the technical submission to TCR. Most brands are approved within 3–7 business days.

6. CTIA Guidelines

The CTIA (Cellular Telecommunications Industry Association) publishes messaging guidelines that carriers enforce. While not law, violating CTIA guidelines can result in your messages being blocked. Key requirements:

  • Business identification: Every message must identify your business name
  • Message frequency disclosure: Tell subscribers how often they'll receive messages (e.g., "Up to 4 msgs/month")
  • "Msg & data rates may apply" disclosure in opt-in language
  • HELP keyword support: Consumers must be able to text HELP for more information
  • Privacy policy: You must have a privacy policy accessible to subscribers
  • Terms of service: You must link to terms governing your messaging program

Required HELP Response

"[Business Name]: For help, contact us at [email] or [phone]. To opt out, reply STOP. Msg & data rates may apply. Message frequency varies."

7. Message Content Rules

Beyond consent and opt-out, there are rules about what your messages can and cannot contain:

Always Include:

  • Your business name or identifier
  • Opt-out instructions (e.g., "Reply STOP to opt out")
  • A clear purpose — the message should match your registered campaign use case

Never Include:

  • SHAFT content: Sex, Hate, Alcohol, Firearms, Tobacco — these are blocked by carriers
  • Misleading content: False urgency, deceptive claims, or phishing attempts
  • Loan or debt collection language without additional regulatory compliance
  • Cannabis/marijuana content — blocked on most carrier networks

Sending Hours

While federal TCPA law specifies 8:00 AM to 9:00 PM in the recipient's local time zone, several states have stricter windows. Best practice: only send marketing messages between 9:00 AM and 8:00 PM in the recipient's time zone.

Important: URL shorteners like bit.ly are often flagged as spam by carriers. Use your own branded short domain or full URLs in messages.

8. Record Keeping

In any TCPA lawsuit, the burden of proof is on you to show that you had valid consent. Maintain detailed records of:

  • Consent evidence: Timestamp, source (web form, keyword, paper), IP address (for web opt-ins), and the exact language the consumer agreed to
  • Opt-out records: When a consumer opted out and confirmation that messages stopped
  • Message logs: Content and timestamp of every message sent
  • Campaign details: What campaign each message belonged to and the business purpose

IgniteSMS stores all of this automatically: Every opt-in source, timestamp, message log, and opt-out event is recorded in your account for audit-ready compliance.

Recommended retention period: Keep consent records for at least 5 years — the TCPA statute of limitations is 4 years, and having an extra year provides a safety margin.

9. Penalties & Fines

TCPA enforcement happens through both government action and private lawsuits. Here's what's at stake:

$500

Per violation (negligent)

$1,500

Per violation (willful)

4 Years

Statute of limitations

Real-World TCPA Settlements

  • Capital One (2014): $75.5 million settlement for unsolicited calls and texts
  • Jiffy Lube (2016): $47 million for sending texts without consent
  • Abercrombie & Fitch (2014): $10 million for marketing texts without proper opt-out
  • Papa John's (2016): $16.3 million for unsolicited text messages

Don't think small businesses are safe: TCPA class actions increasingly target small and mid-size businesses. Even a campaign to 1,000 contacts without proper consent puts $500,000–$1.5 million at risk.

10. State-Specific Laws

Several states have enacted their own texting and privacy laws that may be stricter than the federal TCPA:

Florida (FTSA)

Florida's Telephone Solicitation Act requires prior express written consent for all sales calls/texts, restricts sending hours to 8am–8pm, and allows $500/$1,500 per violation in private lawsuits.

California (CCPA/CPRA)

California's privacy laws give consumers the right to know what data you collect (including phone numbers), the right to delete, and the right to opt out of data selling.

Oklahoma

Oklahoma's Telephone Solicitation Act restricts automated calls/texts and mirrors many TCPA provisions with additional state-level enforcement.

Washington (WTSA)

Washington's Telephone Solicitation Act imposes additional restrictions on automated telephone solicitations, including texts.

Recommendation: If you send texts to recipients in multiple states, comply with the strictest applicable law. When in doubt, consult a telecommunications attorney.

11. SMS Compliance Checklist

Use this checklist to ensure your SMS marketing program is fully compliant:

12. Frequently Asked Questions

Can I text my existing customers without getting new consent?

No — unless they specifically opted in to receive marketing texts from you. Having a customer's phone number from a purchase, business card, or appointment does not constitute consent for marketing messages.

Can I buy a list of phone numbers and text them?

Absolutely not. Purchased lists do not come with valid express written consent. This is one of the fastest ways to face a TCPA lawsuit.

Do I need consent for appointment reminders?

Informational/transactional messages like appointment reminders require express consent (not necessarily written), but the message must be purely informational — no promotional content. If you add "mention this text for 10% off," it becomes a marketing message requiring express written consent.

How do I handle a customer who opts out but then wants back in?

The customer must take an affirmative action to re-subscribe, such as texting a keyword like START, SUBSCRIBE, or YES. You cannot re-add them manually.

Is a double opt-in required?

Not legally required under TCPA, but strongly recommended. A double opt-in (confirming via a follow-up text) provides stronger consent evidence and reduces spam complaints. Some carriers and platforms require it.

What if I send a text to a wrong number?

You could still be liable. If someone receives an unwanted text — even due to a typo or recycled number — it can be a TCPA violation. This is why clean, verified contact lists are essential.

Does the TCPA apply to B2B texts?

The TCPA primarily protects consumers (B2C). However, if you text a business owner's personal cell phone, the TCPA may apply. State laws may also have additional protections.

Stay Compliant with IgniteSMS

Our platform handles opt-in tracking, automatic opt-outs, 10DLC registration, and consent record-keeping — so you can focus on growing your business.

Start Free Trial Talk to Sales