Dial x402

TCPA & CTIA SMS Compliance: A Developer's Guide

Complete guide to SMS compliance under the Telephone Consumer Protection Act (TCPA) and CTIA guidelines — consent types, opt-out requirements, quiet hours, and enforcement.

TCPA & CTIA SMS Compliance

SMS messaging in the United States operates under a layered compliance framework. At the federal level, the Telephone Consumer Protection Act (TCPA) sets enforceable legal requirements. At the industry level, the CTIA (formerly the Cellular Telecommunications Industry Association) publishes self-regulatory guidelines that carriers and aggregators treat as binding. Understanding both is essential for any organization sending text messages at scale.

The TCPA: Federal SMS Law

Background

Congress enacted the TCPA in 1991 to curb unsolicited telemarketing calls. The statute has been amended multiple times and interpreted through dozens of FCC orders, most notably in 2003, 2012, 2015, and 2024. The law applies to calls and text messages sent to mobile phones, and courts have consistently held that an SMS constitutes a "call" under the TCPA.

Enforcement

The TCPA is enforced through two channels:

  • FCC enforcement. The FCC issues rules, declaratory rulings, and fines. It can impose forfeiture penalties and refer cases to the Department of Justice.
  • Private right of action. Individuals can sue senders directly in federal or state court. This provision has made the TCPA one of the most-litigated consumer protection statutes in the country.

Not every text message requires the same level of consent. The TCPA and FCC rules establish a three-tier hierarchy.

Consent LevelRequired ForHow to ObtainKey Requirements
No consentEmergency alerts, fraud alerts, certain transactional messages, government notificationsN/A — exempted by statute or FCC orderMust fall within a recognized exemption; cannot include marketing content
Prior express consentInformational messages to existing customers (e.g., appointment reminders, account alerts, delivery notifications)Customer provides phone number in the course of a transactionThe message must relate to the transaction or relationship; no promotional content
Prior express written consent (PEWC)Marketing, promotional, and advertising SMS or MMSSigned written agreement (including electronic) with specific disclosure languageClear and conspicuous disclosure, unambiguous agreement, not a condition of purchase

A narrow set of messages is exempt from TCPA consent requirements: emergency alerts (threats to life or safety), government-originated messages for non-commercial purposes, certain healthcare messages under the FCC's 2015 exemption (subject to frequency caps and opt-out mechanisms), and time-sensitive financial fraud alerts from qualifying institutions.

These exemptions are narrow. If a message includes any promotional content — even a single upsell sentence — it typically loses its exempt status and requires written consent.

A consumer provides prior express consent by voluntarily giving their phone number in the context of a transaction — for example, entering a number on a checkout form to receive shipping updates. This consent level permits informational and transactional messages only. It does not permit marketing.

PEWC is the highest consent tier and is required for any message that promotes a product, service, or brand.

PEWC Requirements in Detail

The FCC's 2012 TCPA order and subsequent rulings define the elements of valid prior express written consent:

  1. Clear and conspicuous disclosure. The consent form must clearly state that the consumer agrees to receive marketing text messages. The disclosure cannot be buried in fine print or hidden behind hyperlinks.

  2. Specific consent language. The agreement must include:

    • The identity of the entity (or entities) that will send messages.
    • A statement that the consumer agrees to receive text messages at the specified number.
    • A statement that consent is not a condition of purchasing any goods or services.
    • Disclosure that message and data rates may apply.

  3. Affirmative opt-in mechanism. Consent must be given through an affirmative action — typically an unchecked checkbox that the consumer must actively select. Pre-checked checkboxes do not constitute valid consent. Neither does a blanket terms-of-service acceptance.

  4. Record-keeping. Retain proof of consent for each recipient: date and time, phone number, exact consent language, and method (web form, paper, keyword opt-in). The statute of limitations for private claims is four years, so records should be kept at least that long.

  5. One-to-one consent (2024 rule). The FCC closed the "lead generator loophole" by requiring written consent be granted to one identified sender at a time. Consent forms bundling multiple companies in a single action are no longer valid. Effective January 27, 2025.

Opt-Out Rules

The TCPA and FCC rules impose strict opt-out requirements on all commercial SMS senders.

STOP Keyword

Every marketing and promotional SMS program must honor the STOP keyword. When a consumer replies STOP (or a recognized variant such as QUIT, END, CANCEL, UNSUBSCRIBE, or OPTOUT), the sender must cease sending messages to that number.

Processing Timeline

Opt-out requests must be processed within 10 business days. After that window, no further messages may be sent unless the consumer re-opts in through a fresh, compliant consent flow.

Cross-Channel Revocation

The FCC's rules, reinforced by a January 2025 declaratory ruling and further clarified in guidance targeting implementation by January 2027, require that consumers be able to revoke consent through any reasonable means — not just by texting STOP. If a consumer calls a customer service line, sends an email, or submits a web form requesting to stop receiving texts, that revocation is valid and must be honored.

Additional Opt-Out Requirements

  • Opt-out mechanisms must be free. Senders cannot charge a fee or require a consumer to pay a premium-rate text to unsubscribe.
  • Senders may send one final confirmation message after receiving an opt-out request (e.g., "You have been unsubscribed and will receive no further messages."). That confirmation must not contain any marketing content.
  • Opt-out preferences must persist. Re-adding an opted-out number without new, valid consent is a violation.

Quiet Hours

The TCPA restricts the hours during which commercial calls and texts may be sent:

  • Federal rule: Marketing messages may only be sent between 8:00 AM and 9:00 PM in the recipient's local time zone.
  • State variations exist. Several states impose narrower windows. For example, some states prohibit commercial texts before 9:00 AM or after 8:00 PM. Oklahoma, Washington, and others have enacted their own telemarketing statutes with distinct time restrictions. Senders must comply with the most restrictive applicable rule.

Determining local time zone typically relies on the phone number's area code, though this is imperfect since consumers can port numbers across time zones.

Do Not Call (DNC) Registry

The National Do Not Call Registry, maintained by the FTC, is primarily designed for voice telemarketing. However, the TCPA's DNC provisions interact with SMS in several ways:

  • Text messages are treated as calls under the TCPA. Sending an unsolicited marketing text to a number on the DNC registry without prior express written consent is a violation.
  • Internal DNC lists. Every commercial sender must maintain an internal do-not-call list of consumers who have requested not to be contacted. This list must be honored within 10 business days and maintained for at least five years.
  • Established business relationship (EBR) exceptions for voice calls do not extend to text messages. Having an existing customer relationship does not override the need for proper SMS consent.

CTIA Guidelines

The CTIA publishes the Messaging Principles and Best Practices. While not law, these guidelines are enforced by wireless carriers, aggregators, and The Campaign Registry (TCR). Noncompliance can result in message filtering, throughput throttling, or program suspension.

Core CTIA Principles

  1. Consumer choice. Consumers must opt in before receiving messages and must be able to opt out at any time.
  2. Consumer control. Message programs must clearly identify the sender, disclose message frequency, and provide help and opt-out instructions.
  3. Message content standards. Content must comply with carrier-acceptable-use policies. The CTIA defines restricted content categories (see SHAFT below) and prohibits illegal content.
  4. Monitoring and enforcement. The CTIA operates a monitoring program that audits registered messaging campaigns for compliance. Carriers also run their own filtering systems.

CTIA Required Program Disclosures

Every SMS program must provide the following information at the point of opt-in:

  • Program name or product description
  • Message frequency disclosure (e.g., "Up to 4 msgs/month")
  • "Message and data rates may apply"
  • Opt-out instructions (e.g., "Reply STOP to unsubscribe")
  • Help instructions (e.g., "Reply HELP for help")
  • Link to privacy policy and terms of service

Short Code Compliance

Short codes (5- or 6-digit numbers) are subject to the most rigorous CTIA oversight:

  • Every short code campaign must be approved through the short code registry before going live.
  • Campaign descriptions, sample messages, and opt-in flows are reviewed by each participating carrier.
  • Changes to approved campaigns require re-certification.

SHAFT Restricted Categories

The CTIA designates certain content categories as restricted under the acronym SHAFT:

  • S — Sex / adult content
  • H — Hate speech
  • A — Alcohol
  • F — Firearms
  • T — Tobacco / cannabis

Messages in SHAFT categories face additional requirements including age-gating (18+ or 21+ depending on category), restricted sender types, and in some cases outright prohibition on certain number types.

For a detailed breakdown, see SHAFT+ Restricted SMS Categories.

Penalties and Enforcement

Statutory Damages

The TCPA provides for the following damages in private lawsuits:

Violation TypeDamages Per Violation
Negligent (unintentional)$500 per message
Willful or knowing$1,500 per message (treble damages)

A single SMS campaign sent to 10,000 recipients without proper consent could expose a sender to $5 million to $15 million in statutory damages — before accounting for legal fees.

Class Action Risk

The per-message damages structure makes SMS violations a prime target for class action litigation. Major settlements have reached tens and hundreds of millions of dollars.

FCC Enforcement

The FCC can impose forfeiture penalties of up to $23,727 per violation (adjusted for inflation). The Commission issued its first standalone robotext enforcement actions in 2023 and 2024.

Carrier-Level Consequences

Even absent legal action, noncompliance triggers carrier-level enforcement:

  • Message filtering and blocking. Carriers and aggregators silently drop noncompliant messages.
  • Campaign suspension. TCR and carrier review boards can suspend or revoke a 10DLC campaign registration.
  • Number deactivation. Carriers can disable the sending number entirely.
  • Sender reputation damage. Filtering algorithms penalize sending numbers and brands with compliance violations, reducing deliverability across all campaigns.

Recent Regulatory Developments

FCC 2024 Robocall/Robotext Rules

In February 2024, the FCC adopted new rules specifically targeting the robotext ecosystem:

  • One-to-one consent. Written consent must be specific to a single identified sender, eliminating the practice of selling bulk consent collected through comparison-shopping websites.
  • Expanded autodialer definition. Modern texting platforms fall within the TCPA's ATDS definition regardless of whether they dial from a random or sequential list.
  • Lead generator accountability. Entities collecting consent on behalf of others bear responsibility for ensuring it meets TCPA standards. Both the seller and the lead generator can be liable.

State-Level Activity

Multiple states have enacted their own texting statutes. Florida's 2021 FTSA amendments created a private right of action with TCPA-comparable damages. Oklahoma, Maryland, and Washington have also introduced or strengthened SMS-specific rules. Multistate compliance is essential for nationwide messaging programs.

Practical Compliance Checklist

  1. Audit consent flows. Verify that every opt-in form collects prior express written consent with all required disclosure elements. Ensure checkboxes are unchecked by default.
  2. Implement one-to-one consent. Ensure each consent form identifies a single sender. Do not bundle consent for multiple entities.
  3. Store consent records. Log the phone number, timestamp, consent language, and method for every opt-in. Retain records for a minimum of four years.
  4. Honor STOP and variants. Configure automated STOP-word processing for STOP, QUIT, END, CANCEL, UNSUBSCRIBE, and OPTOUT. Send a single confirmation reply.
  5. Respect quiet hours. Suppress marketing messages outside the 8 AM -- 9 PM window in the recipient's local time. Account for state-specific restrictions.
  6. Maintain internal DNC lists. Process opt-out requests within 10 business days and maintain the suppression list for at least five years.
  7. Support cross-channel opt-out. Accept revocation of consent by phone, email, web form, or any other reasonable method — not only via STOP keyword.
  8. Disclose program details at opt-in. Include program name, message frequency, data rate notice, opt-out instructions, help instructions, and links to privacy policy and terms.
  9. Register campaigns properly. For 10DLC, register brands and campaigns through The Campaign Registry. For short codes, complete carrier certification. Keep registrations current.
  10. Review content for SHAFT restrictions. If messages contain age-restricted or sensitive content, apply the appropriate CTIA content attributes and age-gating mechanisms.
  11. Monitor deliverability and complaints. Track delivery rates, opt-out rates, and carrier feedback. Investigate sudden drops in delivery — they often signal filtering triggered by compliance issues.
  12. Train teams and document policies. Ensure that marketing, engineering, and operations teams understand TCPA and CTIA requirements. Maintain written compliance policies and update them as rules change.

Further Reading

Short Code vs 10DLC vs Toll-Free: Comparing SMS Sender Types

A side-by-side comparison of SMS short codes, 10DLC long codes, and toll-free numbers — covering cost, throughput, registration, compliance, and best use cases for each.

SHAFT+ Restricted SMS Categories: What Carriers Block and Why

Complete guide to SHAFT+ restricted SMS content categories — sex, hate, alcohol, firearms, tobacco, cannabis, gambling, crypto, and how each enforcement layer (carrier, TCR, CPaaS) treats them.

On this page

TCPA & CTIA SMS ComplianceThe TCPA: Federal SMS LawBackgroundEnforcementConsent HierarchyWhat Counts as "No Consent Needed"Prior Express ConsentPrior Express Written Consent (PEWC)PEWC Requirements in DetailOpt-Out RulesSTOP KeywordProcessing TimelineCross-Channel RevocationAdditional Opt-Out RequirementsQuiet HoursDo Not Call (DNC) RegistryCTIA GuidelinesCore CTIA PrinciplesCTIA Required Program DisclosuresShort Code ComplianceSHAFT Restricted CategoriesPenalties and EnforcementStatutory DamagesClass Action RiskFCC EnforcementCarrier-Level ConsequencesRecent Regulatory DevelopmentsFCC 2024 Robocall/Robotext RulesState-Level ActivityPractical Compliance ChecklistFurther Reading