2026 Guide to TCPA Compliance for SMS in the US

Running SMS campaigns in the United States means operating within two overlapping compliance frameworks: the Telephone Consumer Protection Act (TCPA), a federal law enforced by the FCC and through private litigation, and the CTIA Messaging Principles and Best Practices, a set of industry standards enforced by mobile carriers. Violating either — or both — puts your organization at financial and operational risk.

This guide is intended for compliance and legal teams, privacy officers, and operations managers responsible for SMS programs. It covers the rules you need to follow, how they apply to different message types, what has changed recently, and how to build a program that holds up to scrutiny.

What is the TCPA?

The Telephone Consumer Protection Act of 1991 (TCPA) is a U.S. federal consumer protection law enacted to curb unwanted telemarketing communications and protect consumer privacy.

Although the law was introduced before SMS existed, the FCC (Federal Communications Commission) has long interpreted the statute to treat text messages as “calls” for TCPA purposes, making SMS communications subject to the same core restrictions as phone calls. In addition to text message formats like SMS and MMS, the law also applies to:

• Voice calls
• Robocalls or other pre-recorded voice messages
• Fax transmissions

Since the TCPA was enacted in 1991 it has been updated repeatedly since.

Key 2025 updates that are now in effect:

Consent revocation (April 2025): Businesses must honor opt-out requests made through “any reasonable method” — not just keyword replies like STOP. This includes opt-outs communicated by email, voicemail, or informal language. Processing must occur within 10 business days though real-time processing is best practice.

One-to-one consent (January 2026): Consent cannot be shared across brands or sold to third parties. Each sender entity must obtain its own consent from each consumer. This closes the so-called lead-generator loophole and significantly affects affiliate marketing and multi-brand programs.

TCPA enforcement

The FCC administers the rules, but the TCPA also allows individuals to bring private lawsuits, which are common. Statutory damages of $500–$1,500 per message, with no cap on total liability, mean that non-compliant high-volume campaigns can incur significant penalties.

The CTIA: Carrier-enforced standards

The CTIA Messaging Principles and Best Practices are not law, but non-compliance results in carriers filtering or blocking your messages, which is just as damaging operationally as a regulatory penalty. The most recent update was issued in October 2025.

The CTIA framework covers consent, opt-in and opt-out flows, sender identity, content restrictions, and 10DLC campaign registration. Carriers including AT&T, Verizon, and T-Mobile apply these standards to decide whether your traffic is delivered.

State-level mini-TCPA laws

About a dozen states have enacted their own SMS-related laws, many of which are stricter than the federal TCPA. Where state law is more restrictive, it takes precedence. Key examples include:

As a general rule it is best to apply the strictest standard that applies to any given contact based on their state of residence.

Consent: The foundation of compliance

Types of Consent

The TCPA distinguishes between two levels of consent depending on message type:

1. Prior express written consent is required for marketing and promotional messages.

This means:

• An affirmative opt-in action by the consumer (a pre-ticked box does not count)
• A clear disclosure of what they are consenting to, including that they may receive autodialed or pre-recorded messages
• Identification of the sender
• A statement that consent is not a condition of purchase
• A documented record of when, where, and how consent was captured

2. Prior express consent (verbal or written) is sufficient for transactional and informational messages, provided the consumer’s phone number was shared in a context directly related to the communication (for example, a customer providing their number when placing an order, then receiving shipping updates).

What counts as valid opt-in

Valid opt-in methods include web forms with an unchecked consent checkbox, keyword opt-ins (e.g., texting JOIN to a short code), paper forms, and verbal consent for transactional messages. The key requirements across all methods:

• The consumer must take an affirmative step
• The consent must be specific to the sender i.e. broad consent does not transfer to related brands or third parties
• The consent record must be stored and retrievable

One-to-one consent (introduced 2026)

Under the FCC’s January 2026 rule, consent obtained on a comparison shopping site, lead generation form, or through a third party cannot be used by multiple downstream businesses. Each brand must obtain its own consent directly. If your SMS database was built using shared or purchased leads, it requires immediate review.

Message types and what the rules require

Marketing and promotional messages

These are messages whose primary purpose is to advertise, promote, or sell, i.e. discount offers, product announcements, event invitations, and similar content. They require prior express written consent and must include:

• Clear sender identification in every message
• An opt-out mechanism (e.g., “Reply STOP to unsubscribe”)
• Adherence to quiet hours: 8am–9pm in the recipient’s local time zone
• A “Message and data rates may apply” disclosure in the program’s initial opt-in confirmation

Example of a compliant marketing message:

Transactional and operational messages

These are messages that relay information directly related to an existing relationship or transaction — order confirmations, delivery updates, appointment reminders, account alerts, two-factor authentication codes, and similar content. They require a lower consent standard, but they carry one critical restriction: no promotional content.

Adding a discount offer or upsell to a transactional message reclassifies it as marketing, requiring the higher consent standard. Keep transactional and promotional workflows completely separate.

Example of a compliant marketing message:

Example of a non-compliant marketing message:

10DLC registration

All businesses sending A2P (Application-to-Person) SMS via 10-digit long codes in the US must register with The Campaign Registry (TCR). Since February 2025, unregistered traffic is blocked by carriers.

Registration is a two-step process:

1. Brand registration: Registers your business entity. You will need:

• Legal business name (must match IRS records exactly)
• Employer Identification Number (EIN)
• Business type (LLC, corporation, etc.)
• Website and contact information

2. Campaign registration: Registers each distinct use case (e.g., marketing, alerts, two-factor authentication). Each campaign requires:

• A description of the campaign’s purpose and what recipients will receive
• Sample messages
• Documented opt-in process (including screenshots of web forms if applicable)
• Opt-out and HELP keyword handling

Typical approval timelines: Brand registration in 1–3 business days; campaign registration in 2–7 business days. Certain industries are ineligible for 10DLC, including cannabis, firearms, payday loans, and debt relief services.

If you operate at high volume or require greater throughput, short codes and toll-free numbers are alternatives with their own registration requirements.

CTIA content rules

1. SHAFT restrictions

The CTIA prohibits or restricts certain content categories regardless of consent. Known as SHAFT, these are:

• Sex: Explicit adult content; age-gating is required where applicable
• Hate: Content promoting violence or discrimination
• Alcohol: Permitted with age verification
• Firearms: Permitted only within legal parameters
• Tobacco and CBD: Restricted; age verification required

Campaigns touching these categories require additional vetting and may face carrier restrictions.

2. URL and link handling

Public link shorteners (Bitly, TinyURL, and similar) are frequently used by spammers and trigger carrier filters. Use branded or dedicated short domains for links in SMS messages. Carriers evaluate link reputation as part of message scoring.

TCPA and CTIA compliance checklists

Before launching a campaign

• Confirm that written consent exists for every recipient on a marketing send
• Verify consent records are stored and attributable to specific opt-in events
• Confirm 10DLC brand and campaign registration is approved for this use case
• Check that sender identification is included in every message
• Check that opt-out instructions are included
• Confirm sending hours are within 8am–9pm in each recipient’s local time zone
• Scrub the list against the National Do Not Call Registry
• Confirm no recipients have previously opted out
• Verify that the Reassigned Numbers Database (RND) has been consulted for numbers where consent was obtained more than 30 days ago
• Confirm the message contains no promotional content if sent as transactional

Ongoing operations

• Opt-out requests are processed in real time (or within 10 business days at most)
• Opt-out records are stored with timestamps and retained per state requirements (up to 10 years in Virginia)
• A confirmation message is sent to opt-outs within 5 minutes of the request, containing no promotional content
• Consent records are auditable and linked to specific data capture events
• Contact lists are regularly reviewed for reassigned numbers
• Campaign registration details remain accurate as message content evolves
• State-specific rules are applied per recipient location, not just at the federal level

Penalties and litigation risk

TCPA litigation has increased sharply. Class actions filed through mid-2025 were up nearly 95% year-over-year. The financial exposure is significant:

There is no cap on aggregate damages. A campaign of 100,000 messages sent without proper consent could result in exposure exceeding $150 million in a class action.

AI-generated messaging

The FCC’s February 2024 declaratory ruling confirmed that AI-generated voices constitute “artificial voices” under federal law. The same consent and disclosure requirements apply to AI-generated or AI-assisted messages as to conventional automated messages. Businesses using AI tools to generate or personalize SMS content should ensure those messages are captured within their consent and registration framework in the same way as any other automated send.

Summary: Minimum compliance requirments

FAQ

Related content