If your business sends text messages to customers or prospects in the United States, the Telephone Consumer Protection Act (TCPA) governs how you do it — and the penalties for getting it wrong are significant. At $500 to $1,500 per message, and with no cap on total class action liability, a non-compliant high-volume SMS campaign can generate exposure in the millions.
The good news is that TCPA compliance for SMS is straightforward once you understand the core rules. The bad news is that most published guides — including some from well-known vendors — are out of date following a series of regulatory and court decisions in 2024 and 2025. This guide reflects the current state of the law as of mid-2026.
| ⚠️ LEGAL DISCLAIMER |
| This guide is for informational purposes only and does not constitute legal advice. TCPA requirements can depend on your specific use case, the states in which you operate, and the type of messages you send. Consult qualified legal counsel for advice specific to your business. |
What Is the TCPA?
The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 and enforced by the Federal Communications Commission (FCC). It regulates telemarketing and automated communications — originally targeting robocalls, but updated over time to cover SMS text messages as well.
The TCPA is unusual among consumer protection laws for two reasons: first, it allows individuals — not just the government — to bring private lawsuits for violations. Second, its statutory damages of $500 per violation (or $1,500 for wilful violations) are per message, not per campaign, making it exceptionally expensive for high-volume senders who get it wrong.
For businesses sending SMS, the TCPA operates alongside a second framework: the CTIA Messaging Principles and Best Practices. CTIA guidelines are voluntary industry standards enforced by mobile carriers — meaning they are not legally binding, but carriers can shut down short codes and block senders who violate them. Compliance with both provides the strongest position.
The Current State of TCPA Consent Rules (What Actually Changed in 2025–2026)
This is the section most guides get wrong. Before reading further, it is worth clearing up the most significant source of confusion in current TCPA compliance literature.
| 🔴 CORRECTION — WIDELY MISREPORTED |
| THE ONE-TO-ONE CONSENT RULE IS NO LONGER IN EFFECT. In December 2023, the FCC issued a rule requiring that consent must be specific to a single identified seller — closing what it called the “lead generator loophole.” This rule was scheduled to take effect in January 2025. However, on January 24, 2025, the US Court of Appeals for the Eleventh Circuit vacated the rule in Insurance Marketing Coalition v. FCC, finding the FCC exceeded its statutory authority under the TCPA. The FCC subsequently declined to appeal. In late 2025, the FCC formally eliminated the rule. As of 2026, one-to-one consent is not required under federal TCPA. |
| What this means in practice: a single consumer opt-in can still cover multiple sellers under the TCPA, as long as the consent is clear, express, and properly documented. However, broad disclosures (such as a hyperlink to a list of hundreds of potential partners) remain legally risky under common-law consent standards and are not recommended. |
The Consent Revocation (“Revoke-All”) Rule — Currently Delayed
A separate FCC rule would have required that a consumer’s opt-out request apply universally across all communications from a business — not just to the specific campaign or message type. This provision was delayed multiple times:
- The revoke-all provision was originally scheduled for April 2025.
- In April 2025, the FCC delayed it to April 11, 2026.
- In January 2026, the FCC delayed it again to January 31, 2027.
The underlying opt-out requirement — that businesses must honour opt-out requests made through “any reasonable method” — remains in force from April 2025. What is delayed is the provision requiring that a single opt-out apply to all channels and message types simultaneously.
TCPA Consent: The Core Rules That Remain in Force
Regardless of the regulatory changes above, these TCPA consent requirements are firmly in force and affect every business sending SMS to US consumers:
Prior Express Written Consent (PEWC) — Required for Marketing SMS
Before sending any promotional or marketing text message using an automated system, you must have the recipient’s prior express written consent. This consent must:
- Be in writing: Written consent includes electronic forms such as web form checkboxes, SMS keyword opt-ins, or documented verbal consent. A verbal opt-in alone, without a written record, is not sufficient for marketing messages.
- Name your business specifically: The consent disclosure must clearly identify the business the consumer is agreeing to receive messages from. Generic disclosures that do not name the sender are legally risky.
- Describe the message type: The consumer must understand what kind of messages they are agreeing to receive — for example, marketing offers, order updates, or appointment reminders.
- Include cost disclosure: The consent must note that standard message and data rates may apply.
- Not be a condition of purchase: The consumer must be able to make a purchase or access a service without consenting to marketing messages. Tying consent to a required transaction is a TCPA violation.
- Be obtained before the first message: You cannot send a message to obtain consent — consent must be in place before the first promotional message is sent.
| ✅ COMPLIANT OPT-IN EXAMPLE |
| Example compliant opt-in disclosure (web form): “By checking this box, I agree to receive recurring automated marketing text messages from [Business Name] at the mobile number provided above. Consent is not a condition of purchase. Message frequency varies. Msg & data rates may apply. Reply HELP for help, STOP to cancel.” |
| This example includes: business name identified, affirmative action (checkbox), consent-not-required statement, frequency disclosure, cost disclosure, and opt-out instructions — all required elements. |
Prior Express Consent — For Informational SMS
Not all business SMS requires prior express written consent. Informational messages — such as order confirmations, delivery notifications, appointment reminders, fraud alerts, or service updates — require only prior express consent, which is a lower standard. This consent can be obtained verbally or by providing a phone number in the context of requesting the service.
The distinction matters: a consumer who gives their phone number when placing an order is implicitly consenting to order-related messages. They are not consenting to promotional messages — those require the written standard described above.
Opt-Out Requirements: What TCPA Requires
Under the TCPA as updated by the FCC’s April 2025 rules, businesses must honour opt-out requests made through any reasonable method — not just the traditional STOP keyword. This is one of the most operationally significant requirements for SMS programmes:
| Opt-out requirement | What it means in practice |
| Any reasonable method | You must recognize opt-outs communicated by SMS keyword (STOP, UNSUBSCRIBE, END, QUIT, CANCEL, OPTOUT, STOPALL, REVOKE), by email, by voicemail, or through informal language. If a reasonable person would interpret the message as an opt-out, you must honor it. |
| Processing deadline | Opt-out requests must be processed within 10 business days. Best practice is real-time processing. |
| Confirmation message | After receiving an opt-out, you may send a single confirmation message within 5 minutes. This confirmation must contain no promotional content. |
| Cross-platform sync | If a consumer opts out from one channel or list, the opt-out must be reflected across all lists that contact that number. The most common compliance failure point. |
| Permanent suppression | Once a number is opted out, you cannot text it for any marketing purpose unless the consumer explicitly re-opts in with new prior express written consent. |
Calling Hours: When You Can Send SMS
The TCPA restricts the hours during which promotional messages may be sent. Federal rules set a window of 8 AM to 9 PM in the recipient’s local time zone. Several states are stricter:
| Jurisdiction | Permitted hours | Notes |
| Federal (TCPA) | 8 AM – 9 PM local time | Applies nationwide |
| Florida | 8 AM – 8 PM local time | Stricter than federal |
| Oklahoma | 8 AM – 8 PM local time | Stricter than federal |
| Washington | 8 AM – 8 PM local time | Stricter than federal |
| Texas | 9 AM – 9 PM (Mon–Sat) | Noon – 9 PM (Sundays) |
The time zone used is the recipient’s local time zone — not the sender’s. If you are sending from California but the recipient is in New York, Eastern Time governs. For national campaigns, schedule sends based on the recipient’s area code or ZIP code time zone, not a single sender time zone.
The National Do Not Call Registry
The National DNC Registry allows consumers to opt out of telemarketing calls. While primarily associated with voice calls, it also applies to autodialled or prerecorded-voice text messages sent for marketing purposes. Businesses must:
- Scrub marketing call and text lists against the DNC Registry before contacting numbers.
- Maintain an internal DNC list in addition to the national registry — covering consumers who have asked not to be contacted regardless of whether they are on the national list.
- Re-scrub lists against the DNC Registry at least every 31 days for active campaigns.
- Keep DNC list subscriptions current — access to the registry requires registration and, for most businesses, a paid subscription.
Violations of DNC rules carry fines of up to $43,792 per call or text message — in addition to any TCPA statutory damages. Note that the DNC Registry does not apply to businesses that have an established business relationship (EBR) with the consumer, subject to time limits.
TCPA and CTIA: Understanding Both Compliance Frameworks
The TCPA is a legal requirement. The CTIA Messaging Principles and Best Practices is a voluntary industry framework enforced by mobile carriers. Both matter:
| TCPA | CTIA Guidelines | |
| Legal status | Federal law | Voluntary industry standard |
| Enforced by | FCC + private litigation | Mobile carriers (AT&T, T-Mobile, Verizon, etc.) |
| Penalties | $500–$1,500 per message; class actions | Short code suspension; number blocking |
| Consent standard | Prior express written consent for marketing | Opt-in required; must match TCPA |
| SHAFT content | No direct restriction | Restricts Sex, Hate, Alcohol, Firearms, Tobacco/CBD |
| 10DLC registration | Does not require it | Required for A2P SMS campaigns |
SHAFT categories — sex, hate, alcohol, firearms, and tobacco (including cannabis/CBD) — are restricted under CTIA guidelines. Carriers will block SMS campaigns involving these content types without proper age gating or programme approval. If your business operates in any of these categories, work with your SMS provider to understand the pre-approval requirements before launching campaigns.
Consent Documentation: Why Records Matter as Much as Consent Itself
Obtaining valid TCPA consent is only half the battle. Courts have ruled against businesses that had valid consent at the time of sending but could not prove it when challenged. Robust consent documentation is not optional:
- What to record: The date and time of consent, the phone number consented for, the specific disclosure language the consumer agreed to, the method of opt-in (web form, SMS keyword, etc.), and the IP address or session ID if consent was obtained online.
- Retention period: Keep consent records for the duration of the relationship plus a minimum of four years after the last contact — aligning with the TCPA’s four-year statute of limitations.
- Cross-platform synchronisation: Consent records must be accessible to all sending systems. If a consumer opts out on one platform, every other system that might contact that number must have immediate access to that suppression.
- Third-party consent: If you are acquiring leads from a third party that claims to have obtained consent on your behalf, you need their documentation. Even though one-to-one consent is no longer federally required, relying on undocumented third-party consent is a litigation risk.
- Audit trails: Maintain a full audit trail of your consent records — including any updates, revocations, or re-opt-ins. Demonstrating clean consent management is your primary defence in a TCPA lawsuit.
TCPA Penalties: What Non-Compliance Actually Costs
TCPA penalties are assessed per message — not per campaign. For high-volume senders, this structure creates catastrophic exposure:
| Violation type | Penalty |
| Negligent violation (unintentional) | $500 per message |
| Wilful or knowing violation | $1,500 per message |
| False or inaccurate RMD filing (voice carrier) | $10,000 per violation |
| DNC registry violation | Up to $43,792 per call/text |
| Class action liability | No statutory cap — settlements in $10M–$100M+ range for large volume campaigns |
| ⚠️ PENALTY SCALE ILLUSTRATION |
| Scale example: A retailer sends 50,000 promotional SMS messages to a list that includes 2,000 numbers without valid prior express written consent. At $500 per negligent violation, exposure is $1,000,000. If a court finds the violation was wilful — for example, if the consent documentation was inadequate — exposure rises to $3,000,000. In 2025, TCPA settlements exceeded $150 million industry-wide, with individual settlements regularly reaching seven and eight figures for e-commerce brands. |
State TCPA Laws: Where Federal Rules Are Not Enough
The TCPA sets a federal floor — states can and do impose stricter requirements. Businesses sending SMS to recipients in these states should review local requirements in addition to federal TCPA:
- Florida (Florida Telephone Solicitation Act — FTSA): Florida has its own auto-dialler statute that is broader than federal TCPA. It applies to calls and texts made using an auto-dialler even without the use of a prerecorded voice, and includes a private right of action with damages of $500–$1,500 per violation. Florida also has stricter quiet hours (8 AM to 8 PM).
- California (CCPA/CPRA): While not a direct TCPA analogue, California’s Consumer Privacy Act gives consumers broad data rights that affect how businesses collect and use phone numbers for marketing. Businesses must honour deletion requests that include phone numbers used for SMS.
- Texas: Texas has its own Business and Commerce Code provisions governing telemarketing with different quiet hours (9 AM to 9 PM Monday through Saturday, noon to 9 PM Sunday) and registration requirements for telemarketers.
- Washington: Washington state restricts automated dialling and has stricter quiet hours matching Florida (8 AM to 8 PM).
- Oklahoma: Oklahoma also restricts calling hours to 8 AM to 8 PM.
State laws change frequently. If your business operates nationally, conduct an annual review of state telemarketing laws in your primary markets or retain counsel with expertise in multi-state TCPA compliance.
TCPA Compliance for Different SMS Use Cases
Consent requirements vary depending on what type of message you are sending. Here is how the rules apply to common business SMS use cases:
| Use case | Consent required | Notes |
| Promotional / marketing SMS | Prior express WRITTEN consent | Highest standard. Must name your business, describe message type, include cost disclosure, and be obtained pre-send. |
| Order confirmations / shipping | Prior express consent | Consumer providing number at checkout implies consent for order-related messages. Must not include marketing. |
| Appointment reminders | Prior express consent | Booking implies consent for appointment-related messages. Adding promotional content converts these to marketing messages — requiring written consent. |
| OTP / two-factor authentication | Prior express consent | User providing phone number for account setup implies consent. Must contain only the authentication code. |
| Emergency alerts (safety-critical) | Exemption may apply | FCC provides limited exemptions for genuine emergency safety communications. Seek legal counsel before relying on this exemption. |
10DLC and TCPA: The Relationship
TCPA is a consent law — it governs whether you may send a message. 10DLC (10-Digit Long Code registration) is a carrier infrastructure requirement — it governs how your messages reach their destination. They are separate frameworks with separate obligations, but they work together:
- 10DLC is required for A2P SMS volume: Without 10DLC registration, carriers will filter or block bulk SMS sent via long codes regardless of how clean your TCPA consent is. TCPA-compliant campaigns that bypass 10DLC will not be delivered.
- 10DLC does not substitute for TCPA consent: Registering your campaigns with The Campaign Registry confirms your messaging use case and intended message content — it does not validate or provide consent on your behalf. You still need valid TCPA consent for every number you message.
- Opt-out infrastructure must work at the carrier level: CTIA guidelines (enforced by carriers via 10DLC) require that your SMS programme respond to STOP and other opt-out keywords. This is separate from but consistent with TCPA opt-out obligations. Both must be implemented.
- Message content must match your registered use case: The Campaign Registry requires you to specify what type of messages your campaign sends (marketing, transactional, OTP, etc.). Sending messages that do not match your registered use case risks campaign suspension — and raises separate questions about whether recipients consented to the actual message type being sent.
| Read more: See our companion guide, “What Is 10DLC? The Complete Registration Guide for US Businesses,” for a full walkthrough of the registration process, trust scores, and throughput limits. |
TCPA Compliance Checklist for US Businesses
Use this checklist before launching any SMS programme or audit an existing programme against it:
| CONSENT COLLECTION |
| [ ] Prior express written consent obtained before first marketing message |
| [ ] Opt-in disclosure names your specific business |
| [ ] Disclosure describes message types and approximate frequency |
| [ ] “Msg & data rates may apply” included |
| [ ] Consent is not tied to purchase (separate from transaction flow) |
| [ ] Opt-in records retained with timestamp, IP, and disclosure text |
| OPT-OUT HANDLING |
| [ ] Platform recognises STOP, UNSUBSCRIBE, END, QUIT, CANCEL, OPTOUT, STOPALL, REVOKE |
| [ ] Opt-outs from email or other channels are processed within 10 business days |
| [ ] Confirmation message sent after opt-out (no promotional content) |
| [ ] Suppression list synced across all sending platforms |
| [ ] Opted-out numbers never re-messaged without new explicit opt-in |
| CAMPAIGN OPERATIONS |
| [ ] Messages sent between 8 AM and 9 PM recipient’s local time zone (8 PM for FL, OK, WA) |
| [ ] National DNC Registry scrub completed within last 31 days |
| [ ] Internal DNC list maintained and applied to all sends |
| [ ] 10DLC brand and campaign registration completed with message content matching registered use case |
| [ ] SHAFT content reviewed — age gating or carrier pre-approval in place if applicable |
| [ ] Sender identity disclosed in every message (business name or short code identifier) |
Frequently Asked Questions
What is the TCPA and who does it apply to?
The Telephone Consumer Protection Act (TCPA) is a federal law that governs telemarketing calls and automated text messages to US phone numbers. It applies to any business or individual that sends marketing SMS, makes automated or prerecorded-voice calls, or contacts numbers on the National Do Not Call Registry without consent. There is no minimum size threshold — TCPA applies to small businesses and enterprises equally.
Do I need consent to send transactional SMS like order confirmations?
Transactional messages require prior express consent, which is a lower standard than the written consent required for marketing messages. When a consumer provides their phone number to make a purchase or use a service, they are typically implying consent to receive messages directly related to that transaction. However, adding any promotional content to a transactional message converts it into a marketing message — requiring the higher written consent standard. Keep transactional and marketing messages cleanly separated.
Is one-to-one consent required under TCPA in 2026?
No. The FCC’s one-to-one consent rule — which would have required separate consent for each individual seller — was vacated by the US Court of Appeals for the Eleventh Circuit in January 2025 and formally eliminated by the FCC in late 2025. As of 2026, a single opt-in can still cover multiple sellers under federal TCPA, as long as the consent is clear and express. However, many compliance professionals recommend treating consent as seller-specific regardless, as broad consent disclosures remain legally risky under common law and state statutes.
What keywords must I recognise as opt-outs?
Your platform must recognise and act on at least: STOP, UNSUBSCRIBE, END, QUIT, CANCEL, STOPALL, REVOKE, and OPTOUT. The word does not need to be capitalised, and the message can include additional text — if a reasonable person would interpret the reply as an opt-out, you must honour it. Under the FCC’s April 2025 rules, opt-outs communicated through any reasonable method — including email or voicemail — must also be honoured within 10 business days.
What are the TCPA penalties for non-compliance?
TCPA statutory damages are $500 per message for negligent violations and $1,500 per message for wilful or knowing violations. There is no cap on total liability, which makes class action lawsuits particularly dangerous for high-volume senders. Additional DNC registry violations can add fines of up to $43,792 per call or text. In 2025, total TCPA settlements across the industry exceeded $150 million.
Does TCPA apply to B2B SMS?
TCPA applies to calls and texts made to mobile phone numbers, regardless of whether the recipient uses the number for business purposes. Many mobile numbers used in a business context are personal cell phones, and TCPA protections follow the number, not the context. B2B SMS campaigns that use automated sending to mobile numbers require TCPA-compliant consent just as B2C campaigns do. The safest approach is to treat any mobile number as subject to TCPA, regardless of the business relationship.
How does TCPA interact with 10DLC?
TCPA governs consent — whether you may send a message. 10DLC governs infrastructure — whether your message will be delivered by US carriers. Both are required for a compliant A2P SMS programme. TCPA-compliant campaigns without 10DLC registration face carrier filtering. 10DLC-registered campaigns without TCPA-compliant consent face legal liability. See our full 10DLC guide for registration details.
About IDT Express
IDT Express provides carrier-grade A2P SMS, SIP trunking, and DID numbers for US and international businesses. Our SMS API supports 10DLC-registered campaigns with full opt-out keyword handling, consent management integration, and dedicated US short code support. For businesses looking for a compliant US SMS infrastructure partner, contact our team or start a free trial.
