US SMS Compliance Guide
Last updated: 3/16/2023
SMS in the United States can be seen as quite complex, especially in comparison to other regions or other channels of messaging. Compliance can be scary and seem difficult, but Infobip is here to guide you through it.
The purpose of this guide is to provide an overview of SMS compliance in USA. This guide is intended to be for information only, and does not serve as legal advice. You should consult your own counsel for legal advice.
Three Layers of Compliance
In the US, there are three layers of compliance:
- Individual carrier networks
The TCPA stands for Telephone Consumer Protection Act, and it is the federal legislation (originally written in 1991) that governs telemarketing, text messaging, and the Do-Not-Call list. While these laws don’t explicitly mention anything about SMS, it’s been ruled that texts are treated as phone calls under the TCPA. These laws exist to protect people from unsolicited text messages and phone calls.
The CTIA stands for Cellular Telecommunications Industry Association, and it is a trade group that represents wireless carriers and others in the telecom industry. The CTIA maintains the Short Code Monitoring Handbook which lays out additional guidelines for SMS marketing. The CTIA guidelines align with TCPA laws to protect people from unwanted text messages but extend further to help marketers create a better experience for consumers.
Individual Carrier Networks (or MNOs Mobile Network Operators)
Each individual carrier network is privately owned and operated, and as such, they reserve the right to approve, reject, question, or disable any campaign on their network. Some carriers have their own individual Code of Conduct. For details, see the Industry Guides.
Text Message Laws
The TCPA and CTIA guidelines should be adhered to, however, it’s important to draw the distinction between what is law and what is regulation. There’s a lot of overlap between the two, however, you can view the TCPA as federal laws preventing unsolicited text messages and CTIA guidelines as carrier regulations further protecting consumers.
It is important to recognize that although failure to comply with TCPA laws can trigger large class-action lawsuits and penalties of up to $500 per text, failure to comply with carrier requirements can also result in fines.
What is Consent?
CTIA defines consent as An individual subscriber’s election to participate. How do you get consent? TCPA defines express written consent as permission given by someone on paper or electronically to receive promotional messages via an auto-dialer.
How to Obtain Consent?
Obtaining consent is actually fairly simple. Consent means that the subscriber you are messaging agreed to receive those messages. This could be by checking a box on a web form, sending a keyword, agreeing to a verbal request, or providing a phone number in a field.
When it comes to messaging, consent can be broken down into three categories depending on the type of messaging being used. Check out this guide provided by CTIA to outline the Types of Messaging Content and Associated Consent Principles.
Types of Messaging Content and Associated Consent Principles
|Conversational messaging is a back-and-forth conversation that takes place via text. If a Consumer texts a business first and the business responds quickly with a single message, then it is likely that it is conversational. If the Consumer initiates the conversation and the business simply responds, then no additional permission is expected.
||Informational messaging is when a Consumer gives their phone number to a business and asks to be contacted in the future. Appointment reminders, welcome texts, and alerts fall into this category because the first text sent by the business fulfills the Consumer's request. A Consumer needs to agree to receive texts for a specific informational purpose when they give the business their mobile.
||Promotional messaging is a message sent that contains a sales or marketing promotion. Adding a call-to-action (e.g., a coupon code to an informational text) may place the message in the promotional category. Before a business sends promotional messages, the Consumer should agree in writing to receive promotional texts. Businesses that already ask Consumers to sign forms or submit contact information can add a field to capture the Consumer's consent.
First message is only sent by a Consumer.
Message responds to a specific request
First message is sent by the Consumer or business
One-way alert or two-way conversation
Message contains information
First message is sent by the business
Message promotes a brand, product, or service
Prompts Consumer to buy something, go somewhere, or otherwise take action
If the Consumer initiates the text message exchange and the business only responds to each Consumer with relevant information, then no verbal or written permission is expected.
The Consumer should give express permission before a business sends them a text message. Consumer may give permission over text, on a form, on a website, or verbally. Consumer may also give written permission.
EXPRESS WRITTEN CONSENT
The Consumer should give express written permission before a business sends them a text message. Consumers may sign a form, check a box online, or otherwise provide consent to receive promotional text messages.
Consent in Real Time
When you understand the importance of consent, the different types, and their required consent level, you’ll need to understand how to collect that consent via opt-in. Even though implied consent and express consent are allowed for conversational and informational messaging, much of the messaging in the industry today is promotional in nature and, as such, Infobip recommends always collecting express written consent.
Obtaining consent requires having a Call to Action. The Call To Action is the language encouraging or inviting a consumer to opt-in to a program.
CTIA requires these Call to Actions to have some key things. Firstly, the Call to Action must be clear and unambiguous. Consumers must be made aware of what they are signing up to receive.
How do you do that?
By ensuring you have six key things:
- Product description
- Message frequency
- Complete terms and conditions or link to complete terms and conditions
- STOP keyword
- Message and Data rates may apply disclosure
There are many ways to accomplish this online: your opt-in mechanism may be built into an order form, appear as a pop-up on a website, be embedded into an existing page, or may even be a stand-alone page. Whichever mechanism you chose, you’ll need to ensure that it is TCPA and CTIA-compliant, and that it collects the subscriber's phone number.
Text to join is also an incredibly popular way to collect opt-in consent for SMS. Text opt-in works by directing a consumer to text in a keyword, or a phrase to a short code or phone number. For this to be considered compliant, the advertisement instructing someone to send the keyword must include some required wording.
While web forms and text to join are the most common forms of obtaining consent, there are others. Keep in mind that your Call to Action must be compliant and a user must agree to receive the messages.
The next requirement for compliance is confirming the opt-in. When a user subscribes, they should immediately be sent a confirmation message. The confirmation message should include the name of the program or brand, information on how to unsubscribe, how to get in touch for help, the message frequency and “Message and data rates may apply disclosure”.
A double opt-in is a great way to re-verify a consumer's intent and desire to subscribe to a program. It requires the user to agree to receive messages twice. When the user sends in their text to join keyword, or fills out their webform, they are first sent a message asking them to confirm they want to subscribe. If the user replies YES, they are then sent a final confirmation message. Double opt-in is also a great way to validate that phone numbers filled in on webforms are accurate.
Additional Compliance Requirements
In addition to the information about how to advertise the opt-in (Call to Action), how to obtain your opt-in, and what to send after someone opts in (confirmation message), what else is required?
All SMS programs are required to have a few key elements to support the SMS program.
Customers need to know how to unsubscribe from the program if they wish and that request must be honored and confirmed immediately.
Reply STOP to cancel.
Infobip: You have been unsubscribed from Infobip messages; no further messages will be received.
Customer Care Contact Information
This is how a subscriber gets ahold of someone for assistance. This should be advertised in the HELP instructions. Anytime a user texts the keyword HELP, the program should respond and provide a phone number or email address that a consumer can use to get assistance.
Reply HELP for Help!
Infobip: For more information call us at 888-949-9540 or email [email protected].
All messaging programs must have a supporting website. This can be an existing website that a brand already has with a section that references SMS, a whole website dedicated to information about a brand's SMS program, or a small snippet at the bottom of a page.
As a business, you can determine what suits your needs best but make sure that you have the minimum required information.
Terms and Conditions Requirements
To meet compliance requirements, a terms and conditions page is a must. The link to your terms and conditions page must be easily accessible, and it must be advertised in the Call to Action. What’s required to be listed within the Terms and Conditions is pretty basic. Many brands choose to add more information or add an SMS section to their existing terms and conditions. You must have the following:
- Program or brand name
- Message frequency
- Description of the program
- Customer Care Contact information
- Opt-out Information
- Message and Data rates may apply disclosure
The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.
As noted earlier in this guide, there are multiple levels of compliance, CTIA and individual carrier networks.
Any unlawful, unapproved, or illicit content is prohibited, as listed by CTIA. The following are examples of prohibited content:
- Fraudulent or misleading messages
- Depictions or endorsements of violence
- Inappropriate content
- Profanity or hate speech
- Endorsement of illegal drugs
Carriers also define some additional disallowed content:
- High Risk Financial Services such as payday loans, or loans from non direct lenders
- Debt Forgiveness Programs including credit repair
- Illegal substances (Cannabis or Illegal prescriptions)
- Work and Investment Opportunities such as work from home programs or job alerts from third parties
- Lead generations or affiliate marketing indicating the sharing of collected information with third parties
Infobip has also put together a guide of specific use case types that each have their own recommendations and requirements.