If you want to text your customers or leads, you must first start with SMS compliance. While texting has become popular for its 98% open rates and high reply rates, brands must consider compliance before their first customer text is even sent.
One of the most important elements of a successful texting strategy, SMS compliance means adhering to laws and regulations around texting to respect customer preferences, improve text message deliverability, and maintain brand credibility. Compliance protects your brand from legal issues, fines, and reputational damage and builds trust with your audience.
This guide serves as a foundational understanding of compliance, including laws, key steps for registration and deliverability, things to watch out for, and how to maintain compliance long-term.
In addition, we’ve put together an 8-item SMS compliance checklist that will serve as your launch point for compliant SMS campaigns.
Disclaimer: This blog does not constitute legal advice but practical recommendations.
TL;DR
SMS compliance is incredibly important to tackle before sending text message campaigns because it means adhering to laws and regulations around texting. Failure to comply can lead to fines, lawsuits, and/or reputational damage.
Texting is regulated by the Telephone Consumer Protection Act (TCPA), Federal Communications Commission (FCC), and mobile carriers. The TCPA requires businesses to obtain prior express written consent before texting consumers, provide functional opt-outs, and protect consumer data. The FCC is the arbiter of the TCPA. State mini-TCPAs also exist in certain states, apply to all people who are currently in (not just reside in) that state, and should be followed. Carriers are important because they also have rules, especially regarding spam, and can reduce or completely block message deliverability.
Our SMS compliance checklist includes the following:
- Create compliant opt-ins
- Set up compliant opt-outs
- Register with The Campaign Registry
- Avoid the Do Not Call registry
- Avoid spam triggers
- Protect customer data
- Monitor deliverability
- Stay updated on compliance
We recommend reading through the entire checklist for a better understanding of each step.
Why is SMS compliance important?
Ranging from opt-in language to A2P registration, SMS compliance helps you protect both your business and your customers.
Compliance is one of the most important aspects of business texting. If you want to do business texting right, understanding, maintaining, and monitoring compliance is an absolute must.
SMS compliance isn’t just about avoiding any legal issues or hefty fees. It’s essential for building customer trust, establishing credibility, and protecting customer data.
Without compliant actions such as Trust Score registration, deliverability rates could fall. This means that all the effort your team puts into SMS could be wasted, as many texts are never delivered to customers’ inboxes—and you wouldn’t even know.
Compliance for text messages includes respectfully and legally obtaining consent, which helps you comply with laws such as the TCPA. By obtaining a Trust Score and understanding spam triggers, you can also boost deliverability of your text messages.
With many facets and legal rules, SMS compliance can be complex and intimidating. Let’s break down key laws and governing bodies—and how to comply with them.
TCPA and text messages
You may have heard of the Telephone Consumer Protection Act (TCPA) before—what you may not know is that the TCPA does apply to text messages as well as phone calls.
The TCPA regulates telemarketing calls, faxes, and text messages to protect consumers from unwanted telemarketing communications. Through the TCPA, the Federal Communications Commission (FCC) maintains responsibility for governing SMS communications in the United States.
When it comes to texting, the TCPA requires businesses to obtain prior express written consent before texting consumers, and provide functional opt-outs, and protect consumer data.
Non-compliance with the TCPA can have costly consequences for businesses, including financial penalties and reputational damage. Fines can get as high as $20,000 per violation. In addition, businesses that violate the TCPA may also face lawsuits from consumers or consumer advocacy groups, which can also result in high fines and negative publicity.
State TCPAs
One thing to watch out for when it comes to the TCPA is that states also have “mini-TCPAs”: state-specific regulations that apply to people in that state. State TCPAs apply to people within the respective states, even if they are not state residents, and businesses must adhere to them when contacting those people whether or not they are physically located in that state.
If businesses operate in more than one state, they must understand and adhere to the state TCPA(s) as well.
States including Arizona, California, Colorado, Florida, New Jersey, New York, Utah, Washington, and Wisconsin, have their own “mini-TCPAs”.
These often include things like:
- Specific times of day when texting consumers is not allowed
- Self-identification requirements for businesses
- Stricter data collection and privacy requirements
We’ve put together a detailed list of states with individual TCPA requirements here.
What is A2P 10DLC?
A2P 10DLC is the American standard that permits businesses to send automated text messages with registered phone numbers. If you want to send texts from a full 10-digit phone number, you have to register as A2P 10DLC.
A2P stands for Application-to-Person messaging. A2P is defined as any automated text message where a person is receiving messages from an application, and which is not expected to receive a reply. Examples of A2P messages include marketing communications, automated reminders and notifications, and chatbots.
10DLC stands for 10-digit long code phone numbers. In the past, 10DLC were intended for Person-to-Person (P2P) traffic only, causing businesses to be constrained by limited throughput and heightened filtering. With A2P 10DLC, trusted companies experience increased deliverability, but do require additional registration to build trust with carriers.
Deliverability and the CTIA
Another name to know is the Cellular Telecommunications Industry Association (CTIA), which includes mobile carriers and also aims to protect consumers from unwanted text messages.
The CTIA is not part of the government, but it is important because it can block texting services for businesses that are non-compliant. Their rules are very much in line with the TCPA, including guidelines for opt-ins and opt-outs and spam content.
Also selected by carriers, The Campaign Registry (TCR) is important for message and call deliverability. Companies must register with TCR before texting—and we’ll get to this later.
SMS compliance checklist: 8 action items
Now that we’ve gone over some foundational knowledge about SMS compliance laws and related bodies, let’s get into what businesses should do for compliance.
Disclaimer: This is not legal advice but practical recommendations.
Create compliant opt-ins
In accordance with the TCPA, you must first set up compliant opt-in methods.
There are many ways consumers can opt-in, including:
- Providing consent on paper that clearly states their consent to receive texts from your business at a certain phone number.
- Providing consent over the phone, where the caller’s consent is recorded and timestamped.
- Filling out an online form that explicitly states that the customer subscribes to receive texts from your business at a provided phone number. This can be a website form, subscribe option, or a pop-up on your website.
- Texting your company’s short code number with a provided keyword or code. (Think: “Text YES to 123456 to opt-in.”)
The most robust opt-in methods require customers to take action. For example, sending the “YES” text to a short code number. If using a form opt-in, you can ask customers to enter their phone number, text them a verification, and have them text back confirming their consent.
Once the method is set up, you’ll need to use compliant language in your opt-in, which includes:
- The name of your business (Example: “I agree to receive texts from Verse at this number.”)
- Disclaimer that message and data rates may apply
- Link to your company’s terms and privacy policies
- Why you’ll be texting customers (Example: “I agree to receive promotional texts from Verse.”)
- Opt-out information should be included in the opt-in form and in your first text message to the recipient to be safe.
Your opt-in forms should link back to your privacy policy and terms and conditions. Make sure that they are updated to include:
- How the subscribers’ contact information is stored and used
- What type of communication subscribers receive
- How often you will be messaging subscribers
- An easy way to opt-out or to get support
Set up compliant opt-outs
For TCPA compliance, businesses must provide clear and functional opt-outs via text message. These are specific text messages a customer can reply with to automatically opt out of messages. This is also required by the CTIA.
Under the CTIA, customers must be able to opt out by texting back any of these words: STOP, END, CANCEL, UNSUBSCRIBE, or QUIT.
Ensure that these words work to remove customers from SMS communications and that these requests are honored promptly. This should be handled automatically by a system.
When consumers first opt-in, you must include opt-out information, such as a text message a customer can reply with to opt-out. For example, “Reply STOP to stop messages”.
Recently, the TCPA expanded opt-outs through the Revocation of Consent rule. This rule gives consumers the ability to revoke consent through any reasonable means, requirement to honor revocation requests within 10 business days of receipt, and permission to send a one-time clarification message.
Register with TCR for a Trust Score
Brands must register with The Campaign Registry (TCR) in order to mass text consumers.
Upon registration, TCR will give your business a Trust Score: a value ranging from 0 to 100, higher being better. Trust Scores determine the routing and delivery speed of your messages.
While a score above 70 is considered good, Trust Scores of 90 and above are excellent and can result in faster message delivery and lower costs. Scores under 23 will result in low to no deliverability.
Best practices businesses should use to improve their score:
- Eliminate data discrepancies in A2P registration, including address, business registration number, tax ID, and brand name.
- Use legally-registered brand name only.
- Ensure all SMS content is compliant.
- Never send unsolicited messages, use deceptive language, or spam.
Avoid the Do Not Call (DNC) list
The Do Not Call registry (DNC) is a list of numbers that businesses cannot call, and exists to protect consumers from unwanted calls. Businesses should not text these numbers either.
The DNC is protected by state and federal law, and brands can face fines and penalties for contacting anyone on the DNC. Regularly scrub your contact lists against DNC registries to ensure you are not contacting anyone on the DNC.
By doing so, companies demonstrate respect for consumers’ privacy and avoid potential legal issues.
Avoid spam triggers
Triggering a spam filter will harm your message deliverability—and spam triggers are not always obvious.
It is best practice to avoid certain words that carriers will commonly block as spam; for example, “free”, “urgent”, “cash”, and “not spam.”
While filters can be triggered by certain words, the context is what matters the most. Most spam words are only filtered out when used in a certain context, so it’s not as simple as avoiding certain words.
The first rule is to always remain transparent and straightforward and avoid any deceptive or exaggerated claims. For example, instead of “Win free AirPods today!”, say something more like, “Enter our contest for a chance to win AirPods.”
Here are a few best practices to follow:
- Always proofread for grammatical and spelling errors, as those can be flagged as spam.
- Limit use of exclamation marks, all-caps, emojis, and special characters.
- Do not ask for personal information unless it’s absolutely necessary.
- Familiarize yourself with common spam words to be safe. See our full list here.
Protect customer data
Data protection is a crucial part of SMS compliance. Brands must prevent unauthorized access and ensure compliance with data protection regulations. This may include utilizing encryption techniques to safeguard sensitive information transmitted through text messages and implementing secure storage protocols.
For example, compliance with data protection laws such as California’s Consumer Privacy Act helps to ensure that customer data is handled responsibly.
This may include utilizing encryption techniques to safeguard sensitive information transmitted through text messages and implementing secure storage protocols.
Monitor deliverability
To ensure that nothing is amiss, closely and regularly track your deliverability rates. One sign of a low Trust Score or non-compliant texts is lowered deliverability, and you’ll want to tackle any issues quickly.
If a particular message gets flagged frequently, revise your approach. You should also keep track of opt-out rates—sudden spikes can mean there is a problem with your SMS approach or message content.
Of course, you should also listen to feedback from your customers and adjust accordingly.
At Verse, we monitor deliverability 24/7 for all of our clients’ messages and investigate any dips in deliverability or opt-out rates.
Stay updated on compliance news and regulations
SMS compliance is not one-and-done. As the environment changes, rules, regulations, and carrier policies do too.
Marketing and legal teams must stay informed on new regulations, maintain good carrier relationships, and constantly update their approaches to remain compliant. Any company that texts its customers should keep close tabs on compliance news.
For example, just last year the FCC updated the TCPA with the Revocation of Consent ruling, which expanded the TCPA’s opt-out requirements.
For this reason, SMS compliance for mass texting is commonly outsourced to companies like Verse that are not only experts, but devote 100% of their resources to texting and compliance.
Verse: Your SMS compliance partner
Verse is your partner in SMS compliance. Our expert team ensures that all conversations we conduct on our clients’ behalf are 100% compliant.
Verse is a fully-managed, AI-powered texting platform that manages compliant customer conversations via SMS, 24/7, with instant replies. Use cases extend throughout the customer journey, ranging from lead engagement to post-purchase surveys and review collection.
Our dedicated compliance team maintains great relationships with the regulators of text messaging, including carriers and the FCC, and:
- Takes care of A2P 10DLC registration
- Assists with compliant opt-ins and opt-outs
- Tracks deliverability rates 24/7
- Monitors regulations
- Ensures calls are always verified and never labelled as “Unknown” or “Spam Likely”
- Regularly scrubs against the DNC and known litigators
No matter how you want to use SMS at your company, Verse can help you do it effortlessly and compliantly. Book a demo with us today to learn more.
SMS compliance FAQ
1. Why is SMS compliance important for my business?
SMS compliance ensures your business stays aligned with federal and state regulations, protects consumer data, and avoids costly fines. It also improves text message deliverability, builds customer trust, and strengthens your brand’s credibility.
2. What is the TCPA and how does it apply to texting?
The Telephone Consumer Protection Act (TCPA) regulates both texts and phone calls. It requires prior express written consent from consumers before sending marketing messages and mandates functional opt-outs. Non-compliance can lead to lawsuits and serious penalties.
3. What are “mini-TCPAs” and do I need to follow them?
Yes. Several U.S. states—including California, Florida, New York, and Utah—have their own versions of the TCPA with additional rules like restricted texting hours, self-identification, and privacy measures. These laws apply to anyone physically in the state, not just residents.
4. What is A2P 10DLC and why does it matter?
A2P 10DLC allows businesses to send automated text messages from 10-digit numbers. Registering under A2P gives you a Trust Score, which affects your message speed, delivery rates, and cost.
5. What’s a Trust Score and how does it impact deliverability?
A Trust Score (0–100) is assigned during A2P 10DLC registration. Scores over 70 are good, while scores over 90 can lead to better delivery. Low scores result in slower delivery or blocked messages. Keeping your registration info accurate and content compliant improves your score.
6. What should I include in a compliant SMS opt-in?
A compliant opt-in should include:
- Your business name
- Disclosure of message/data rates
- A link to terms and privacy policy
- Clear opt-out instructions
- A concise explanation of why you’re texting
7. What are the approved opt-out keywords?
Customers must be able to opt out by texting: STOP, END, CANCEL, UNSUBSCRIBE, or QUIT.
8. Can I text numbers on the Do Not Call (DNC) list?
No. Texting phone numbers on the DNC list is a violation of federal and state laws. Be sure to regularly scrub your contact lists to avoid penalties.
9. What are common SMS spam triggers to avoid?
Avoid using misleading or exaggerated language. Commonly filtered words and phrases include: “free,” “urgent,” “cash,” and “not spam.”
Other tips:
- Use proper grammar
- Avoid excess punctuation or emojis
- Don’t ask for sensitive info unless necessary
10. How should I protect customer data in SMS communication?
Use encryption, secure storage, and adhere to data privacy laws like the California Consumer Privacy Act (CCPA). Always be transparent about how you collect, store, and use personal information.
