What are the TCPA requirements for SMS marketing?

TCPA requires prior express written consent before sending marketing texts to a wireless number. The consent must be clear, identify your organization specifically, and cannot be a condition of purchase. Violations carry $500 per unsolicited text, rising to $1,500 for willful violations, with no cap on class-action exposure.

What is 10DLC and why is it required?

10DLC (10-digit long code) is a carrier registration system that ties your business identity and message use case to your sending number. Registration is required for all A2P business texting on local long-code numbers, regardless of volume. Without it, carriers throttle or block your messages.

What hours are you legally allowed to send marketing texts?

Under TCPA, marketing texts may only be sent between 8 a.m. and 9 p.m. in the recipient's local time zone. Sending outside those hours — even if it's within business hours where you're located — is a violation.

How do you write a compliant SMS opt-in disclosure?

A compliant disclosure must include: your organization's name, a description of the message types subscribers will receive, approximate frequency, a statement that message and data rates may apply, and instructions for opting out (e.g., "Reply STOP to cancel"). The CTIA Messaging Principles document has current language guidance.

What is the difference between TCPA and CTIA compliance?

TCPA is federal law with legal penalties enforced by the FCC and private litigants. CTIA compliance is an industry standard enforced operationally by carriers — non-compliance results in message filtering, not lawsuits. You need both: TCPA for legal protection, CTIA for deliverability.

How long should I retain consent records?

There is no single federal statute setting a retention period for SMS consent records specifically, but given that TCPA lawsuits can be filed years after a message is sent, most compliance professionals recommend at least four to five years. Your legal counsel may recommend longer depending on your state. Getting SMS compliance best practices right from the start doesn't require slowing down. When consent is structured data in your contact system, campaign registrations match your actual message types, and your team has pre-approved templates for common scenarios, the operational overhead nearly disappears. Start by pulling your current contact list, checking how many records have documented opt-in proof, and treating that number as your baseline. Close the gap before your next bulk send, build consent collection into every new intake touchpoint going forward, and the rest of the process takes care of itself.

Mastering SMS Compliance Without Slowing Your Response Time

SMS compliance doesn't have to kill your response time. Learn TCPA, 10DLC, consent management, and opt-out rules in one practical guide.

Text Messaging and SMS Compliance

Following SMS compliance best practices doesn't have to slow your team down. Regulations like the Telephone Consumer Protection Act and the 10DLC registration framework exist to protect consumers from spam and abuse — but too many business owners treat them as a brake pedal rather than a built-in operating standard. The result is either legal exposure from cutting corners or sluggish response times from over-engineering every outbound message. This guide covers TCPA compliance for businesses, CTIA guidelines, 10DLC registration, SMS consent management, message timing rules, and opt-out handling SMS — so your SMS program stays clean without costing you speed.

TCPA and 10DLC Are Two Different Problems

TCPA is federal law, enforced by the FCC and through private litigation. It governs consent — specifically, whether you have written permission to send marketing messages to a given phone number. Violations carry statutory damages of $500 to $1,500 per text, with no cap on class-action exposure. The FTC's overview of the Telephone Consumer Protection Act is a useful starting point, though your legal counsel should be the final word on TCPA and 10DLC differences as they apply to your business.

10DLC (10-digit long code) is a carrier-level registration system administered through The Campaign Registry. It ties your business identity and message use case — appointment reminders, community alerts, customer service replies — to your sending number. Without registration, carriers throttle or block your messages. With it, deliverability improves substantially and you signal to carriers that you're a legitimate sender.

The practical difference: TCPA governs who you're allowed to text. 10DLC governs how your messages reach them. Both matter, but they require different controls in your workflow.

Requirement	TCPA (Federal Law)	10DLC (Carrier Registration)
Enforced by	FCC / private litigation	Mobile carriers / Campaign Registry
Focuses on	Consent and contact eligibility	Sender identity and use-case matching
Penalty for non-compliance	$500–$1,500 per text	Message filtering or blocking
Applies to	All A2P marketing texts	All A2P long-code texting
Key document	Express written consent record	Brand and campaign registration

The biggest reason SMS compliance slows teams down is that consent is captured informally — a verbal agreement, a checked box buried in a PDF — and nobody can find proof when they need to send a follow-up. Fix this by treating consent as structured data, not a formality.

Every contact in your system should carry a consent record that answers four questions:

Opt-in date and timestamp
Opt-in method (web form, keyword reply, signed document)
Message types consented to (transactional, marketing, or both)
Opt-out status and date, if applicable

When those answers are attached to a contact record — not sitting in a spreadsheet or someone's inbox — your team can send a message within seconds of receiving a request without pausing to verify eligibility manually. Platforms built for business text messaging compliance, like QuorumVoice, link every inbound SMS to a per-contact timeline so consent status, prior conversations, and opt-out history are visible before anyone hits send. This kind of visibility is also what makes SMS response time optimization possible — staff stop hesitating because the system already answers the compliance question for them.

For opt-in language, the CTIA Messaging Principles and Best Practices document specifies required disclosures at the point of collection. The language isn't long, but it must be present and clear: sender identity, nature of the messages, frequency, and a note that message and data rates may apply. These are the non-negotiable elements of SMS opt-in compliance best practices.

CTIA Guidelines Every Business Text Messaging Sender Must Follow

TCPA sets the legal floor, but CTIA guidelines set the operational standard carriers actually enforce. Ignoring them is one of the most common reasons registered senders still get filtered.

Sender identification: Every message must clearly identify who is sending it. Don't assume recipients remember signing up.
Opt-in disclosure at collection: The consent form or keyword confirmation must state the program name, message types, approximate frequency, that message and data rates may apply, and how to opt out.
Opt-out keywords: Your program must honor STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT. A confirmation must be sent immediately after any opt-out request.
HELP response: Replying HELP must return contact information or a support link.
Prohibited content: CTIA prohibits messages promoting cannabis, firearms sales, hate speech, sexually explicit content, and other restricted categories regardless of legal status in a given state.
Frequency disclosure: If you state "up to 4 messages per month," exceeding that frequency without re-consent is a compliance violation and a common source of carrier complaints.

For property management communication and other specialized use cases, CTIA's category-specific guidance can differ slightly — confirm requirements with your messaging provider before going live.

Message Timing and Frequency Rules

Under TCPA, marketing texts may only be sent between 8 a.m. and 9 p.m. in the recipient's local time zone — not yours. Sending a promotional message at 9:30 p.m. to a contact in a different time zone is a TCPA violation even if it's only 6:30 p.m. where you are. Most business text messaging platforms can automate time-zone-aware scheduling, which removes this risk entirely.

Frequency matters beyond the legal minimum. Exceeding stated message frequency without re-consent is one of the most common triggers for opt-outs and carrier complaints. If your opt-in disclosure says "up to 2 messages per week," hold to that. If your program needs to send more, update your disclosure language and collect fresh consent before increasing volume. Keeping frequency expectations aligned with your 10DLC compliance registration and CTIA disclosures means all three stay consistent.

10DLC Registration: Match Your Use Case and Avoid Carrier Filtering

This 10DLC registration guide covers the most common mistake businesses make: describing their use case too broadly or too narrowly when registering.

If you register under "customer care" but send promotional offers, carriers may filter those messages because the traffic pattern doesn't match the registered use case. If you register under "marketing" but your primary sends are service alerts, you've placed yourself in a category requiring stricter opt-in documentation than you may have collected.

Map your message types before you register. List every scenario in which you'll send a text: appointment reminders, payment notifications, emergency alerts, promotional announcements, survey follow-ups. Group them by the registration categories your messaging provider supports. In most cases, this means using multiple campaign registrations tied to the same brand — one for transactional messages, one for marketing — rather than forcing everything into one campaign ID.

10DLC compliance is required for any business sending application-to-person (A2P) messages on a local long-code number, regardless of volume. Low-volume senders are routinely surprised when messages get filtered; carrier systems don't make exceptions for small senders. Your messaging platform should walk you through registration requirements before you go live. If they don't offer registration support, that's a signal to ask harder questions.

Opt-Out Handling SMS as a Response-Speed Asset

Most businesses treat opt-outs as a compliance checkbox: honor STOP, send the confirmation, done. But opt-out handling SMS workflows can actually improve response speed if you build them correctly.

When a contact opts out, your system should immediately suppress them from all outbound queues — not just the next scheduled send. If a team member tries to send a manual reply to that contact, they should see a clear flag in the interface. This prevents a well-meaning staff member from texting someone who explicitly asked not to be contacted — which is both a TCPA risk and a customer experience failure.

Set up automated re-opt-in pathways for contacts who later reach back out. Under TCPA, a consumer who texts your business after opting out can be considered to have re-established consent for conversational replies, but your policies should specify this clearly and your legal counsel should review the language. The FCC's updated rules on stopping illegal robocalls and texts have tightened some of these consent interpretations, so staying current matters.

Opt-out suppression must also apply to automated triggers, not just manual sends. An automated follow-up that fires after a missed call to an opted-out contact creates the same liability as a manual message. If you're running missed-call text automations, confirm that opt-out logic is applied at the trigger level.

Putting SMS Compliance Best Practices Into Action

Audit Your Existing Contact List

Identify every phone number you've texted in the past 12 months and verify that you have documented opt-in records for each. Remove or quarantine contacts without documentation. Undocumented contacts are your highest litigation risk — this step is not optional.

Standardize Opt-In Collection

Update every touchpoint — website forms, paper intake forms, intake emails — to include CTIA-compliant disclosure language. Store the opt-in timestamp and method in your CRM or contact management system, not just in a form submission log.

Map Message Types and Register Your Campaigns

Work with your messaging provider to register the correct 10DLC campaign categories. If your platform doesn't offer registration support, you're likely sending on a shared short code or unregistered long code — both carry higher deliverability risk and put your SMS compliance posture at risk.

Connect SMS to Your Contact Timeline

Consent status, opt-out history, and prior messages should be visible to whoever is composing a reply. A communication intelligence platform that surfaces this information inline removes the manual verification step that slows most teams down. For a deeper look at how this kind of visibility works across calls, emails, and texts, see how to track every call, email, and text without a paper trail.

Write and Publish Your Internal SMS Policy

One to two pages is enough. Specify who is authorized to send outbound texts, what categories each registered campaign covers, how opt-outs are handled, and what to do if a contact disputes consent. Pre-approved templates for common scenarios mean most messages can go out without additional review — reserve sign-off for new campaign categories, not routine replies.

Set Up Automated Confirmations

Every new opt-in should trigger a confirmation text restating the program name, frequency, and how to stop messages. Every opt-out should trigger a confirmation that the stop request was honored. Both can be fully automated and add zero latency to real-time conversations.

Test Before Sending at Scale

Before any bulk send, run 10–20 test messages and verify delivery rates, opt-out processing, and content filter flags. Carriers sometimes flag messages for keywords associated with spam; catching this in a test run saves a failed campaign.

A Real-World Example: Property Management SMS Compliance

A mid-sized property management company manages 800 units across six communities, sending maintenance reminders, package alerts, and lease renewal notices via text. Before restructuring, staff texted residents from personal phones, opt-in records lived in undigitized lease agreements, and there was no 10DLC registration. Deliverability was inconsistent, and when a resident disputed receiving unauthorized texts, nobody could pull documentation quickly.

After implementing the approach above, they:

Registered their brand through The Campaign Registry using two campaigns — one for transactional/service messages, one for leasing outreach.
Updated their move-in packet with a CTIA-compliant SMS consent form and scanned signed forms into their property management software linked to each resident's contact record.
Configured QuorumVoice to log all inbound and outbound SMS to resident timelines, giving any staff member immediate visibility into consent status and opt-out history.
Created five pre-approved templates for common scenarios (package arrival, maintenance window, rent reminder, community alert, lease renewal), reserving custom messages for specific situations only.

Response times improved because staff no longer hesitated before sending — consent was already answered in the system. When a resident later disputed a lease renewal message, the company produced the signed consent record and conversation log in under two minutes. For more on how property management teams handle communication logging, see top call logging tools for property management companies.

Where Teams Go Wrong With Business Text Messaging Compliance

Assuming an inbound text is blanket permission. If someone texts your business number first, you can reply — that's a conversational exchange. But adding that number to a broadcast list without explicit consent requires a fresh opt-in.

Treating 10DLC registration as a one-time task. If your use case changes — new message category, updated business name, new number — you need to update your registration. Outdated registrations cause filtering even on otherwise compliant programs.

Ignoring state-level laws. TCPA is the federal floor, not the ceiling. California's CCPA adds data-rights obligations on top of TCPA, including the right to deletion of SMS opt-in records upon consumer request. Florida's Florida Telephone Solicitation Act imposes stricter requirements for marketing texts. If you're texting contacts across multiple states, your legal review should include a state-level check.

Siloing SMS from other communication channels. When texts, calls, and emails live in separate systems, consent gaps are harder to spot. A unified multi-channel communication approach makes it easier to enforce consistent opt-out rules and audit contact history across channels.

Frequently Asked Questions

Written by

Derrick Threatt

Author at QuorumVoice

Derrick Threatt is an AI Automation Engineer and marketing operations leader who builds AI-driven systems, automations, and data workflows to improve revenue, operations, and team productivity.

View all posts →

Last Updated

June 19, 2026