SMS Marketing Compliance: TCPA, Opt-In, and Carrier Rules for Marketers

The channel with the highest stakes

SMS open rates hover around 98%. Response times average 90 seconds. For lifecycle marketers, it's the most direct line to a customer's attention that exists.

It's also the channel where getting compliance wrong is the most expensive. The Telephone Consumer Protection Act allows statutory damages of $500 to $1,500 per unsolicited text message. Class action attorneys have built entire practices around TCPA violations. In 2023 alone, TCPA-related settlements exceeded $1.3 billion.

This isn't a hypothetical risk. I've watched brands with legitimate marketing programs face legal challenges because their consent collection process had a gap they didn't know about. The message content was fine. The targeting was fine. The opt-in flow had a technical deficiency that exposed the entire program.

TCPA fundamentals for marketers

The TCPA was written in 1991 to address telemarketing robocalls. It's been extended and interpreted by courts to cover SMS. The core requirement: you need prior express written consent before sending marketing text messages.

That phrase, "prior express written consent," has specific legal meaning:

The consumer must clearly authorize you to send marketing messages to their mobile number.
The authorization must be in writing (electronic signatures count, including web form submissions and keyword opt-ins).
You must keep records of that consent. Date, time, method, the specific language the consumer agreed to.
Consent must be voluntary. You cannot require SMS opt-in as a condition of purchase.

That last point catches brands regularly. If your checkout flow bundles SMS consent with order completion (a pre-checked box, or language that implies opting in is required to complete the purchase), that consent may not hold up. The FCC has been clear: the consumer has to make a separate, affirmative choice.

The double opt-in question

Single opt-in is technically legal under TCPA if the consent language is clear. Double opt-in (customer submits number, receives a confirmation text, replies YES) is safer.

Double opt-in proves the person who submitted the number actually controls the phone. It creates a timestamped audit trail. Carriers increasingly favor double opt-in programs with higher throughput. And subscribers who actively confirmed are less likely to report your messages as spam.

The tradeoff is list size. Double opt-in reduces your subscriber base by 15-30%. That reduction is a feature, not a bug. Those subscribers who don't confirm weren't going to be engaged anyway, and every unconfirmed number is a compliance risk sitting in your database.

Quiet hours are not optional

The TCPA restricts calls (and by extension, text messages in most interpretations) to the hours of 8:00 AM to 9:00 PM in the recipient's local time zone. Some states have stricter windows. Florida's mini-TCPA restricts marketing messages to 8:00 AM to 8:00 PM. Oklahoma requires 8:00 AM to 8:00 PM as well.

The operational challenge: you need to know the recipient's time zone, and you need your sending platform to respect it. If your SMS platform sends based on a single time zone and your audience spans the continental US, someone in a different zone is receiving messages outside their local quiet hours.

Most enterprise SMS platforms (Braze, Attentive, Klaviyo) have quiet hours enforcement built in. Turn it on. Verify it's working correctly. Test it by sending to numbers in edge-case time zones.

I've audited SMS programs where quiet hours were configured in the platform but the configuration was based on the business's location rather than the recipient's. The team assumed it was working correctly because messages were sending during business hours locally. Nobody checked whether the recipient-side enforcement was active.

Carrier filtering: the invisible gatekeeper

Even with perfect compliance, carriers (AT&T, T-Mobile, Verizon) can filter your messages before they reach the subscriber. This is the SMS equivalent of email spam filtering, and it's getting more aggressive.

What triggers carrier filtering:

High throughput from unregistered numbers. If you're sending marketing SMS on long codes (10-digit numbers) without registering through The Campaign Registry (TCR), carriers will throttle or block you.
URL shorteners. Bit.ly and similar shorteners are heavily flagged because spammers use them to mask destinations. Use branded short links or full URLs.
Prohibited content keywords. Certain terms related to cannabis, firearms, gambling, and adult content trigger automatic filtering regardless of legality in your state.
High opt-out rates. If a large percentage of recipients reply STOP to your messages, carriers interpret this as a signal that the content is unwanted and may flag your sending numbers.
Shared short codes. Shared short codes (where multiple brands send from the same number) carry higher filtering risk because one bad actor can contaminate the reputation for all senders on that code.

The solution for most brands: use a dedicated short code or toll-free number, register with TCR through your SMS platform, and monitor your delivery rates at the carrier level, not just the aggregate level.

At Stanley Black & Decker, when we evaluated SMS as a channel, the compliance infrastructure was scoped before a single message was sent. Registration, dedicated sending numbers, quiet hours configuration, consent language review with legal. The program launched clean because the compliance work happened first, not after the first complaint.

Consent management in practice

Collecting consent is step one. Managing it over time is where programs break down.

Maintain a consent ledger. For every subscriber, store: the phone number, the date and time of opt-in, the method (web form, keyword, POS), the exact consent language they agreed to, and any subsequent changes (opt-down to fewer messages, opt-out, re-opt-in).

Honor opt-outs immediately. When someone texts STOP, the opt-out must be processed and reflected in your suppression list before the next send. Not within 24 hours. Before the next send. Sending a message to someone who already opted out is the fastest path to a TCPA complaint.

Respect opt-out synonyms. STOP, UNSUBSCRIBE, CANCEL, END, and QUIT should all trigger the opt-out process. Most platforms handle this natively, but verify. I've seen programs that only honored "STOP" exactly, missing "Stop" and "stop please."

Separate consent by message type. Transactional messages (order confirmations, shipping updates) and marketing messages require different consent levels under TCPA. Don't bundle them. A customer who consented to order updates did not consent to promotional offers.

Re-consent after dormancy. If a subscriber hasn't received a message in 18 months, their consent may be considered stale. Send a re-permission message before resuming marketing sends.

What happens when you get it wrong

TCPA statutory damages. $500 per violation (per message to a non-consenting recipient). $1,500 if the court finds the violation willful. A campaign sent to 10,000 people with a consent deficiency represents $5 million to $15 million in potential exposure.

Class action risk. TCPA is one of the most litigated consumer protection statutes in the US. Plaintiffs' firms actively recruit class members through online ads targeting people who receive unwanted texts.

Carrier penalties. Carriers can suspend your sending numbers. Rebuilding a suspended SMS program takes months.

Brand damage. Consumers who feel their privacy was violated don't come back.

The takeaway

SMS is a powerful lifecycle channel. It's also the least forgiving when compliance breaks down. The marketers who build durable SMS programs treat compliance as infrastructure, not a checkbox. They invest in consent management before they invest in creative. They register with carriers before they scale volume. They monitor delivery rates at the carrier level and catch filtering issues before they become blocking issues. The brands that skip this work eventually learn the cost. It's always higher than the investment would have been.

Keep Reading

Glossary: Deliverability