What is the difference between TCPA and CTIA?

The TCPA (Telephone Consumer Protection Act) is a federal law enforced by the FCC that governs telemarketing calls and texts. It carries legal penalties for violations. The CTIA is an industry trade group that publishes voluntary best-practice guidelines that carriers follow. While CTIA guidelines are not law, carriers enforce them and can block your messages if you do not comply.

Do I need written consent for every text message?

It depends on the message type. Transactional messages like order confirmations and appointment reminders require express consent (verbal or written). Marketing and promotional messages require express written consent, which typically means a signed form or a checked checkbox on a web page with clear disclosure language.

What happens if I send messages without proper consent?

Sending messages without proper consent can result in TCPA fines of $500 to $1,500 per message, class action lawsuits, carrier filtering or blocking of your traffic, and suspension of your 10DLC campaign. The financial and reputational risks are significant.

How do I handle opt-out requests?

You must honor opt-out requests immediately. At minimum, support the STOP keyword. When someone texts STOP, confirm their opt-out with a single final message and remove them from your messaging list. Never send additional messages to someone who has opted out.

Are there content restrictions for SMS messages?

Yes. Carriers restrict or require special registration for messages related to sex, hate speech, alcohol, firearms, tobacco, and cannabis (often called SHAFT content). Misleading content, phishing, and messages designed to look like they come from someone else are prohibited entirely.

SMS Compliance Guide: TCPA, CTIA & 10DLC Requirements

Everything you need to know about staying compliant when sending business text messages in the United States.

Sending business text messages comes with real legal and regulatory responsibilities. Unlike email, where compliance rules are relatively straightforward, SMS is governed by federal law, industry guidelines, and carrier-specific rules that all apply at the same time. Understanding these requirements is not just about avoiding fines; it is about building trust with the people who receive your messages.

This guide breaks down the three layers of SMS compliance: federal law (TCPA), industry standards (CTIA), and carrier requirements (10DLC). By the end, you will know exactly what you need to do to send messages legally and reliably.

TCPA: The Federal Foundation

The Telephone Consumer Protection Act (TCPA) is a federal law passed in 1991 and updated several times since. It is enforced by the Federal Communications Commission (FCC) and gives consumers the right to control who contacts them by phone and text. For businesses sending SMS, the TCPA establishes the legal framework for consent and penalties.

Key TCPA Requirements for SMS

Prior express consent is required for informational and transactional messages
Prior express written consent is required for marketing and promotional messages
Consent must be given freely and cannot be a condition of purchasing a product or service
Consumers must be told what they are signing up for before they give consent
An easy opt-out mechanism must be provided and honored promptly
Callers must identify themselves in every message

Types of Consent Under TCPA

Express Consent

Required for: Transactional messages (order confirmations, appointment reminders, account alerts)

How to obtain: The consumer provides their phone number and agrees to receive texts. This can be verbal, written, or through an electronic form. The key is that the consumer knowingly provides their number for the purpose of receiving messages.

Express Written Consent

Required for: Marketing and promotional messages (sales, discounts, advertisements)

How to obtain: A written agreement (physical or electronic) that clearly discloses that the consumer agrees to receive marketing texts, the approximate frequency, and that consent is not required to make a purchase. A checkbox on a web form with proper disclosure language qualifies.

Penalties: TCPA violations carry fines of $500 per unsolicited message, rising to $1,500 per message for willful violations. Class action lawsuits are common, and settlements regularly reach millions of dollars. This is not a theoretical risk; businesses of all sizes face TCPA litigation every year.

CTIA: Industry Best Practices

The CTIA (Cellular Telecommunications Industry Association) publishes the Messaging Principles and Best Practices guide, which is the industry standard that carriers follow when evaluating messaging programs. While not a law, these guidelines are effectively mandatory because carriers enforce them by filtering or blocking non-compliant traffic.

CTIA Guidelines You Must Follow

Program identification: Every message must clearly identify the sender
Opt-in confirmation: Send a confirmation message when someone subscribes
Opt-out support: Honor STOP, QUIT, CANCEL, END, and UNSUBSCRIBE keywords
Help support: Respond to HELP with your program name, contact info, and opt-out instructions
Frequency disclosure: Tell subscribers how often they will receive messages
Message and data rates: Include "Msg & data rates may apply" in your opt-in disclosure
Privacy policy: Maintain and link to a privacy policy covering your messaging program
Terms of service: Provide terms that describe your messaging program

Required Disclosures at Opt-In

When collecting consent, your opt-in point (web form, paper form, keyword) must disclose:

The program name or product description
The message frequency (e.g., "up to 4 messages per month")
That message and data rates may apply
How to opt out (e.g., "text STOP to cancel")
How to get help (e.g., "text HELP for help")
A link to your terms and privacy policy

Carrier Requirements and 10DLC

On top of TCPA and CTIA requirements, the major US carriers (AT&T, T-Mobile, and Verizon) have implemented the 10DLC system, which adds another layer of requirements. To send messages from a standard 10-digit phone number, you must register your brand and campaign. This registration gives carriers visibility into who is sending messages and what those messages contain.

What Carriers Expect

A registered brand with a verified business identity
A registered campaign with a declared use case and sample messages
Messages that match the registered use case at all times
Proper opt-in documentation that can be provided if audited
Immediate honoring of opt-out requests
No content that violates carrier acceptable use policies

Opt-In Requirements in Detail

Consent is the cornerstone of SMS compliance. Without it, every message you send is a potential violation. Here is a breakdown of the different consent methods and when each is appropriate:

Message Type	Consent Required	Examples
Transactional	Express Consent	Order updates, appointment reminders, security alerts
Marketing	Express Written Consent	Promotions, sales, discounts, product launches
Conversational	Express Consent	Customer support replies, two-way conversations

Opt-Out Handling

Handling opt-outs properly is just as important as collecting opt-ins. Here is what you need to do:

Support standard keywords: STOP, QUIT, CANCEL, END, and UNSUBSCRIBE must all work
Respond immediately: Send a single confirmation message acknowledging the opt-out
Stop all messages: Remove the number from your active list immediately
Do not require reasons: A consumer does not need to explain why they want to stop
Allow re-opt-in: If someone texts START or YES after opting out, they can rejoin
Keep records: Log all opt-out requests with timestamps

Best practice: After someone opts out, send one final message confirming the opt-out and nothing more. Example: "You have been unsubscribed from BrightShop messages. You will not receive any more texts. Reply START to resubscribe."

Message Content Rules

Beyond consent, the content of your messages must follow certain rules:

Identify yourself: Include your business name or brand in every message
Be truthful: No misleading claims, fake urgency, or deceptive content
No prohibited content: Carriers block messages with illegal content, phishing links, or malware
SHAFT restrictions: Messages about sex, hate, alcohol, firearms, and tobacco require special use case registration
No shared short code behavior: Do not send messages that appear to come from a different sender
URL requirements: Use your own domain for links; avoid URL shorteners that mask the destination

Penalties for Non-Compliance

The consequences of non-compliance are serious and come from multiple directions:

Legal Penalties

$500 per unsolicited message under TCPA
$1,500 per message for willful or knowing violations
Class action lawsuits with settlements often in the millions
FCC enforcement actions and fines

Carrier Penalties

Message filtering that silently drops your texts
Campaign suspension preventing all messages from your registered numbers
Brand blacklisting that prevents future registrations
Per-message surcharges for non-compliant traffic

Business Impact

Damaged brand reputation and consumer trust
Loss of the ability to communicate with customers via text
Revenue impact from blocked marketing messages
Legal costs from defending against lawsuits

Building a Compliance Checklist

Use this checklist to make sure your messaging program is compliant before you start sending:

✓Collect and document proper consent for every recipient
✓Include all required disclosures at the opt-in point
✓Support STOP, HELP, and other standard keywords
✓Identify your business in every message
✓Register your brand and campaign under 10DLC
✓Maintain a privacy policy and terms of service
✓Keep records of all consent and opt-out requests
✓Review messages for prohibited or restricted content