SMS is a powerful way to reach a responsive audience. In the wrong hands, it can also be invasive and annoying. We’ve all received unwanted texts that have us typing STOP or blocking faster than you can say “spam.” But, unwanted texts can be more than an annoyance—they can be illegal.
Bodies across the United States regulate SMS compliance. Those who fail to comply face fines, lawsuits and reputational damage. Understanding SMS policy is crucial for any business that uses text messages to connect with customers.
This comprehensive guide covers everything from federal laws to privacy acts. Learn about written consent, message transparency and easy opt-outs. As a bonus, explore tips and tricks for keeping your business compliant with SMS regulations into 2025.
The information in this guide is for reference only and does not constitute legal advice.
What Is SMS Compliance Law?
SMS compliance law regulates business text messages for customer service, marketing and more. These laws dictate how companies can use SMS to engage with consumers. They prevent unwanted texts from cluttering phones, protect privacy and keep businesses ethical.
Which Bodies Regulate SMS Compliance?
Government and industry entities enforce SMS standards. The following are the most important regulatory bodies and rulings in the United States:
The Federal Communications Commission (FCC)
The FCC is an independent U.S. agency regulating interstate and international communications. This body enforces laws and regulations, including issuing fines for noncompliance. FCC SMS regulations require wireless providers to block SMS from certain numbers. They also extend the TCPA National Do-Not-Call (DNC) registry to include SMS.
Illegal robocalls and robotexts account for a large part of FCC complaints. Robotexts differ from A2P bulk messaging. They are sent from an autodialer with no human interaction and are automated to continually send messages and often originate from fake numbers that are linked to scams or smishing campaigns.
The Telephone Consumer Protection Act (TCPA)
The TCPA, a ruling passed by the FCC, in the U.S. in 1991, prohibits unsolicited marketing calls. They ruled that text messages have the same classification as phone calls in this case.
The Cellular Telecommunications and Internet Association (CTIA)
The CTIA is a trade group representing the U.S. wireless communications industry. It influences policies, implements best practices and promotes its members through awareness. CTIA’s Messaging Principles and Best Practices is a how-to guide for creating positive consumer experiences. The handbook establishes messaging methods to safeguard consumers against unwanted communication.
The Campaign Registry (TCR)
Applicable only to 10-digit long code (10dlc) registration, TCR is the industry appointed reputation management company put in place to determine if a brand is reputable enough to send messages via the major mobile carriers’ networks. (e.g., AT&T, T-mobile, etc.) Their scoring of companies determines how the carriers will perceive your brand while reviewing your request to send campaigns and messages over their individual networks.
Mobile Carriers
The carriers are the last stop when it comes to compliance. They have the right to block messages that break any of the rules and regulations surrounding compliance and are required to stop unlawful sending as set forth by the FCC. But, they can also make their own rules if lawful under the FCC.
What Are the SMS Rules in the U.S.?
If your business sends text messages in the U.S., you should follow TCPA laws and CTIA standards. The FCC enforces TCPA as federal law focusing on users’ consent to receive text message (aka Opt-in), while the CTIA provides best-practice SMS guidelines for companies sending messages as well as the carriers. Noncompliance can lead to hefty fines or lawsuits, harming your profits and reputation.
If you are sending messages into or out of the U.S. and are using a 10dlc, you will also need to conform to the industry regulations of TCR and the carriers. These are strictly enforced and will result in blocked messages or fines from the carriers. The regulations were put in place to ward off spam and scams, but also give the carriers more control on how much load goes over their networks.
How Can You Obtain Express Written Consent?
Under TCPA, express written consent involves a user giving permission to receive messages. That doesn’t mean you must show up at your customer’s door with pen and paper. “Written” can refer to electronic permission. Before agreeing, the recipient needs to know what they’re agreeing to.
Types of Messaging
Text messages fall into one of three categories. The consent required can depend on the type of messaging content:
- Conversational: A consumer starting a conversation to which a business responds implies consent. This type of message needs no further verbal or written permission. Conversational exchanges fall under TCPA text message exemptions for express consent.
- Informational: Examples of informational or transactional SMS include appointment reminders or verification codes. Even if a customer gives an organization their number, they must provide express consent before the organization can SMS them. The consumer can provide electronic, verbal or written permission.
- Promotional: Messages with sales or marketing content fall under promotional. Examples include adding a call to action (CTA) or a link to a product page. Promotional messaging requires users’ express permission before organizations can communicate with them.
“Opt-in” is among the most important words in the SMS compliance glossary. By opting in, a customer agrees to receive messages. Does the thought of collecting opt-ins make you break out in a sweat? Cool those jets! Obtaining consent can be as simple as ticking a box on a web form or texting a keyword. The two most popular methods for obtaining consent are text to join and web forms.
Text to Join
As the name suggests, consumers text a keyword to a number to subscribe to an SMS program. The opt-in or follow-up message must include certain elements to meet TCPA and CTIA:
- Business name: The first step is to identify your business to the recipient so they know who the sender is.
- Purpose: Define the campaign’s intent and outline the content users can expect.
- Frequency: How often and how many messages you send.
- Rates: Be explicit about messaging and data rates that the consumer might incur.
- Terms and conditions: Provide a link to the campaign’s terms and conditions.
- Privacy policy: A link to your privacy policy should explain how you handle personal data.
- Opt-out: All initial or post-opt-in confirmations must offer recipients an unsubscribe option.
- Confirmation: CTIA suggests that subscribers receive immediate auto-confirmation. This message includes your business name, data rates, opt-out guidelines and relevant links.
Web Forms
Online consent forms can live on your website as a pop-up or separate landing page. Customers might tick a box to opt-in, but like text to join, compliance requirements apply:
- Phone number: The web form must have a field where users can enter their phone number.
- Wording: For TCPA text messages, the form must state that the person will receive automated messages. For CTIA, you must include frequency, rates, opt-out instructions, terms and privacy links.
- Checkbox: If you include an opt-in checkbox, the box must remain unchecked by default.
- Confirmation: The user should receive an automated confirmation per CTIA guidelines. The follow-up message should contain the same elements as the text-to-join communications.
Double SMS Opt-In
Scammers find a way around even the most CTIA-compliant web forms. That’s where doubling up on consent can save you a heap of headaches down the road. A savvy scoundrel could enter any phone number into a web form to sucker in unsuspecting folks. Double opt-in sends a second confirmation to verify the recipient’s identity. The text asks the consumer to reply YES to confirm their subscription or NO/STOP if they didn’t subscribe. If they answer yes, they will receive a final confirmation message.
What Is the Required Wording for SMS Compliance?
Whichever collection method you use must include specific wording to meet SMS standards. If you can check each of these components off, you’re well on your way to compliance success:
1. Business Name and Purpose
Readers should immediately recognize the sender and the messages they can expect. For example, “Hello from Red Oxygen! Reply YES to receive weekly industry updates …”
2. Condition of Purchase
People might worry that they must buy something to join an SMS program. State the user can subscribe regardless of whether they make a purchase. For example, “Agreement is not a condition of purchase.”
3. Message Frequency
Let the consumer know how many messages you plan to send and how often they can expect to receive them. For example, “… up to 2 messages per week.”
4. Opt-Out Instructions
An SMS opt-in is like a door that allows a consumer into a room willingly. Leaving off an opt-out is like locking the door. It’s a consumer’s prerogative to change their minds at any time and an opt-out allows them to do that. Texting “STOP” is a standard unsubscribe method. Consumers could also opt out by web form, phone call or any other reasonable means. You must make instructions clear and acknowledge that a user has unsubscribed.
5. Help Guidance
Include a way for the user to get help if needed. Texting “HELP” may send them a contact number, email or website to seek further help.
6. Message Data Rates
This disclosure alerts recipients that their carrier may charge for sending or receiving SMS.
7. Terms and Conditions
A link should take the user to a document outlining the terms and conditions for the text campaign. CTIA requires that this document include the following:
- Business name
- SMS campaign name
- Telephone or short code number used
- SMS opt-in requirements and opt-out instructions
- Information on where to get help
- Supported wireless carriers
- Messaging frequency
- Message and data rates
- Privacy policy link
8. Privacy Policy
Privacy policies are like safety nets when you go bungee jumping. Sure, you don’t need one, but having one would give you peace of mind. Your privacy policy outlines how the business collects, uses and protects personal information.
How Can You Comply With SMS Requirements?
SMS compliance may seem like a complex maze, but these tips can help you navigate with ease:
Provide Clear Opt-Out Mechanisms
While you want to keep every customer, it’s inevitable that you’ll have some people revoke their business. When people want to forgo communications, it’s important to oblige. Imagine a previous utility provider continued to reach out to you after you canceled service. These communications would probably become annoying very quickly and certainly wouldn’t give you an incentive to return. This same idea applies to your customers.
You should include easy-to-read instructions on opting out inside every message. You can also utilize keywords or commands such as “STOP” for streamlined opt-outs. Respond to these requests promptly and do not charge users for opting out.
Respect Time-of-Day Guidelines
Do you like waking up at 3 a.m. to the sound of a message notification? Neither does your target audience. The TCPA asks organizations to take a break from sending out messages between 9 p.m. and 8 a.m. in recipient timezones.
Steer Clear of SHAFT Content
What is “SHAFT,” you ask? Yes, it is a 2000 movie starring Samuel L. Jackson, but SHAFT is also a handy acronym for prohibited content:
- S: Sexually inappropriate
- H: Hate speech or profanity
- A: Alcohol
- F: Firearms
- T: Tobacco and vaping or endorsement of illegal drugs
In some cases, carriers will allow certain adult content subject to “age-gating.” This functionality requires a user to confirm their date of birth to opt in. They receive the content if they reply and meet the minimum age requirements.
What Are the Consequences of Violations?
Violating SMS compliance laws can result in costly fines or costlier reputational damage. As Spider-Man’s Uncle Ben said, “With great power comes great responsibility,” and compliance is up there with great responsibilities. Consequences of violations depend on the regulatory body:
TCPA Violations
Since TCPA legislation is federal law, violations can lead to hefty punishment. Noncompliance can result in fines from $500 to $1,500 with no damage cap. Lawsuits can run into millions of dollars in damages.
CTIA Noncompliance
Since the CTIA sets out guidelines, noncompliance is not punishable by law. However, failing to meet CTIA standards could lead to violations of TCPA or other acts.
10-Digit Long-Code (10dlc) Violations
10dlc optimizes application-to-person texting. Failing to adopt 10dlc can reduce your reach and delivery rates. 10dlc fees and fines could cost as much as $10,000 per non-compliant SMS. These violations can also result in blocked messages and companies.
FAQs
Now that you know the ins and outs of SMS compliance, here are answers to some of your burning questions:
What Are the SMS Rules for TCPA?
Follow the below rules for TCPA SMS compliance:
- Get express written consent.
- Provide clear disclosures.
- Include easy-to-understand opt-out instructions.
- Send messages during business hours only.
What Are the Federal SMS Regulations?
Telephone Consumer Protection Act text messages fall under federal law. These regulations ensure organizations get express consent from recipients before sending messages. Users must know what they opt into and how to opt out. Violations of FCC text messaging regulations can result in a maximum penalty of $500 per day.
Are SMS Messages HIPAA Compliant?
According to the Health Insurance Portability and Accountability Act (HIPAA) Journal, text messages are not HIPAA compliant. Some instances of HIPAA-compliant texting occur when a patient initiates contact via SMS. But in general, you should never send personal or classified information via SMS, it is inherently not a secure form of communication. Thought the U.S. Department of Health and Human Services may waive HIPAA texting rules in natural disasters.
Let Red Oxygen Help You Stay SMS Compliant
For more than 20 years, Red Oxygen has been a one-stop SMS solutions provider, keeping our customers happy and compliant. Whether you send to users in the U.S., Australia or the EU, our innovative technology can help you meet local laws. Are you stressed out about SMS billing? Our billing and compliance MSP offering keeps you ahead of changing regulations. You can send SMS straight from your computer with our SMS Gateway API! Plus, replies go to your email inbox for added compliance and traceability.
Learn how Red Oxygen can elevate your SMS communication strategy without sacrificing compliance. Contact us to request a free demo of our solutions today!