Text Message Laws Every Business Needs to Follow

SMS compliance basics: federal regulations to know

Several governing bodies have created regulations regarding telemarketing communications. These laws are updated continually to reflect technological advancements and evolving business practices. Here are some laws you should be aware of.

Telephone Consumer Protection Act (TCPA)

The TCPA is the primary telemarketing law in the United States. Passed by Congress in 1991 and governed by the Federal Communications Commission (FCC), the TCPA has been amended numerous times to target unsolicited text messages and phone calls. It emphasizes privacy rights through the following measures:

• Auto-dialer restrictions: The TCPA restricts auto-dialer calls, also called robocalls, in which an automatic telephone dialing system calls or messages consumers without human intervention by selecting phone numbers from a digitally stored list.
• Identification: Commercial entities must identify themselves in each communication and state their reason for contact clearly.
• Hours of operation: Communication must occur between 8 a.m. and 9 p.m. in the consumer’s local time zone.
• Opt-out functions: Consumers can request that their phone number be placed on a do-not-contact list at any time. All text communications must allow consumers to opt out of the company’s subscriber list by directly replying to the text.
• Prior express written consent: Companies may not contact customers with commercial or marketing offers without obtaining prior express written consent. This consent must be documented and cannot rely on previous contact, verbal confirmation or purchase history.

Express written consent

Express written consent, as required by the TCPA and defined by the Cellular Telecommunications Industry Association (CTIA), validates the contract between a business and its customers to communicate through text messaging. The offer for customer consent to telemarketing must meet the following criteria in writing:

• Explain the reason the business requests the customer’s contact information.
• Provide a clear estimate of how often customers will receive messages and explain the content of those messages.
• Give customers access to the full terms and conditions of their consent, either directly or through a hyperlink.
• Require customers to affirm their agreement, such as by clicking “I consent” or selecting “yes” to sign up.
• Allow customers to opt out of receiving messages at any time and for any reason, typically through a direct reply.
• Inform customers that standard messaging and data rates may apply.

Brian Wilson, chief commercial officer at Abridge and former chief revenue officer of SlickText, emphasized the critical importance of obtaining full, express written consent. “The most common mistake we see is not receiving prior consent,” Wilson told us. “If there’s one central rule around compliance with federal regulations, it’s to receive consent from the individuals you are going to be messaging.”

CAN-SPAM Act

The Federal Trade Commission (FTC) enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) in 2003 to establish rules for commercial email communications. The Act governs all unsolicited commercial emails and includes provisions for opt-out mechanisms, accurate subject lines and sender identification.

Under the CAN-SPAM Act, informational messages that do not promote new business, such as order confirmations or shipping updates, are valid exceptions and can be sent without express written consent. However, even these messages must allow recipients to opt out of future communications.

While the CAN-SPAM Act primarily regulates email marketing, it has influenced broader digital communication laws. Text message marketing is governed chiefly by the TCPA, with the FCC overseeing compliance. The FTC, meanwhile, has the authority to write additional guidelines for text message marketing within the framework of the CAN-SPAM Act.

Industry guidelines: CTIA and carrier recommendations

The CTIA is a national trade group that represents the wireless communications industry. The CTIA is not a governing body, but mobile carriers enforce its guidelines and may suspend or block SMS campaigns that don’t comply.

The CTIA provides a Messaging Principles & Best Practices document to clarify and expand on many of the provisions set forth in the TCPA and CAN-SPAM Act. This document outlines best practices for securing clear and verifiable express written consent from consumers for SMS marketing.

Key CTIA requirements include:

• Message frequency limitations to prevent customer fatigue and complaints
• Clear consent documentation that meets both TCPA and carrier standards
• Prohibited practices such as misleading content, excessive frequency or lack of proper opt-out mechanisms
• Carrier approval processes for high-volume campaigns through platforms like The Campaign Registry (TCR)

The CTIA guidelines have become essential for ensuring deliverability, as carriers reserve the right to shut down short codes and block senders that violate these guidelines.

International laws and regulations

International consumer privacy laws govern all communication conducted within their territories, regardless of a business’s primary headquarters location. The strictest of these laws is the European Union’s General Data Protection Regulation (GDPR).

In addition to requiring express consent, the GDPR mandates that businesses storing European customer data comply with six key principles of data protection: 

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

Compliance with these regulations often requires significant financial and legal resources to implement proper safeguards.

Canada enforces its own regulations under Canada’s Anti-Spam Legislation (CASL). While CASL primarily governs email, it also applies to SMS and other forms of electronic communication. If your SMS campaigns meet the express written consent criteria defined by the TCPA and CTIA, they will likely align with CASL requirements. However, CASL also mandates that businesses maintain clear records of consent and ensure message content adheres to specific rules. If you are unsure whether your campaigns meet U.S. or international criteria, consult a business lawyer.

State-level text message laws

Several states have enacted their own “mini-TCPA” laws, adding another layer of complexity. California, Florida and Washington (among others) have stricter regulations than the federal TCPA.

Texas Senate Bill 140

The most significant state-level development in 2025 is Texas Senate Bill 140 (SB 140), which took effect on September 1, 2025. This law significantly expands Texas’s telemarketing regulations to cover marketing by text message, applying to any business that sends marketing texts to Texas residents regardless of where the business is located.

Key requirements under Texas SB 140 include:

• Registration with the Texas Secretary of State and posting a $10,000 bond
• Annual renewal at a $200 fee
• Messaging hour restrictions: no promotional texts after 12 p.m. on Sunday in addition to standard overnight quiet hours (9 p.m. to 9 a.m.)
• Additional disclosure requirements including business name, address and purpose
• Exemptions are very limited and apply only to current/former customers of businesses operating under the same name for two years

Other notable state laws

Many states have implemented regulations that go beyond federal requirements:

• Arizona, Connecticut, Florida, New Jersey, Oklahoma, Washington and Wisconsin require explicit consent before texting consumers.
• California and Florida require clear opt-out methods and mandate stopping texts within 15 days of opt-out requests.
• Connecticut requires prior express written consent with fines up to $20,000 per violation.
• Oklahoma limits texts to three per day on the same topic and imposes an 8 a.m. to 8 p.m. time window.
• Virginia treats unsolicited commercial texts as “telephone solicitations” under state do-not-call rules.

2025 updates and compliance trends

The TCPA landscape has seen dramatic changes in 2025, with enforcement actions surging significantly.

Enforcement surge

In Q1 2025, 507 TCPA class actions were filed, marking a 112 percent increase from the same period in 2024. This dramatic rise reflects shifting enforcement patterns and growing emphasis on consumer communications practices.

Key enforcement trends include:

• Roughly 80 percent of active TCPA cases involve class action claims.
• Time-of-day allegations are on the rise, with more than 100 lawsuits filed in March 2025 alone alleging violations of timing restrictions.
• Mobile carriers are introducing tighter spam filters that flag high-volume or unsolicited messages.

Supreme Court decision impact

On June 20, 2025, the U.S. Supreme Court ruled that district courts aren’t required to follow an agency’s pre-enforcement interpretation of a statute. This decision affects how TCPA regulations are applied, potentially creating more uncertainty in compliance requirements.

Message timing restrictions

There’s a growing trend of lawsuits over calls placed outside the TCPA’s permitted hours — before 8 a.m. or after 9 p.m. local time. Many of these violations involved text messages, highlighting the need for strict adherence to timing requirements.

Best practices for SMS compliance

The potential for fines and regulations might discourage some businesses from using SMS marketing, but mass texting is too effective to ignore. Here are several ways to fulfill TCPA requirements while successfully marketing your business.

Include all information necessary for express written consent.

Use the express written consent guidelines above to ensure your first message to a new subscriber includes all necessary information, including the following:

• Business name
• Reason for messaging
• Message frequency
• Rates disclaimer
• Link to your privacy policy and terms
• Opt-out instructions

“Unlike email marketing, marketing via text requires express opt-in consent,” said Kanika Chander, lawyer and owner of Cloudbreak Legal. “The consent must contain specific language [and] companies must be able to comply with requirements for how to opt customers out if/when they request.”

Here’s a simple template to get you started:

“Hi [Name], thanks for signing up for the [Company] Summer Sale! We’ll send you personalized deals every week. Up to 4 msgs/month. Msg & data rates may apply. Reply HELP to review terms, STOP to cancel.”

Use keyword shortcodes.

A keyword shortcode is a word or phrase customers can text to a specified number to sign up for your text messages. Businesses can provide that keyword to the customer within a CTIA-compliant disclaimer that includes all components of express written consent. When a customer responds with the keyword, they have provided consent.

Consider a double opt-in.

A double opt-in is the safest way for a business to ensure the legality of its text messages. After a subscriber has provided their phone number, send a follow-up message asking them to confirm their subscription by replying “yes” or “no.” This additional step removes any doubt that a keyword message or email subscription was insufficient to obtain the consumer’s express written consent.

“Any time companies have a certain age level or verification they want to do with an individual … they may want to use a double opt-in to understand how old the person is before [they] agree to include them in [their] text marketing list,” Wilson advised.

Maintain your commitments.

Text message campaigns offer the highest open rates of all marketing channels. This success can tempt a business to inundate its subscribers with SMS notifications, but contacting customers too frequently can put you at risk of violations and damage your brand image. Annoying text message campaigns can quickly lead to unsubscribes and complaints.

SMS regulations are designed to ensure businesses honor their promised messaging frequency. By adhering to these laws, your text messaging will remain an infrequent surprise and customers will be less likely to grow annoyed and perceive these messages as spam. 

Provide an incentive to sign up.

Offer value for customers who sign up for your text messages. For example, subscribers could receive discounts, limited-time offers or additional features to your core services, such as delivery tracking or real-time alerts. Consider how your favorite brands could convince you to provide your phone number and then see how your business might use a similar approach.

Use dedicated SMS marketing software. 

Dedicated SMS marketing software is one of the best ways to streamline your marketing program and help ensure compliance with the latest laws and regulations. The best text message marketing services include built-in compliance features like template libraries, integration with third-party business apps and lists to segment and sort subscribers.

In addition, text message marketing platforms can be used for other business purposes, such as customer service, facilitating payments and shipping updates. Regardless of your use case or industry, the right business SMS software can ensure you comply with text message laws and industry regulations.

Quick reference table: federal vs. state vs. carrier rules

Penalties for non-compliance

Even one mistake with text messaging compliance can result in hefty fines. Each violation incurs a fine of $500 per occurrence. Notably, this penalty applies to each individual message in breach of TCPA compliance — not the campaign as a whole.

“Under TCPA violations for noncompliant companies can be $500 to $1,500 per violation, which could mean per noncompliant text message. These can really add up,” said Chander. “There’s no cap on damages, so class actions or active plaintiffs lawyers pose a big risk in this area.”

For example, an SMS campaign that illegally messaged 1,000 contacts could incur fines totaling at least $500,000. If the violations are deemed intentional, the fines are tripled to $1,500 per message. In that same campaign, intentional violations would increase the total penalty to $1.5 million — and this assumes only one message per recipient.

These penalties are uncapped and businesses are held accountable for every violation. As subscriber lists grow, so does the potential liability, often exceeding insurance coverage limits.

“Risks come from private rights of actions (direct suits by consumers); class actions; and/or government enforcement actions (e.g., by the FCC or a state attorney general),” said Chander.

Garrett Olexa, vice president of legal affairs at Sun Health, highlighted common mistakes businesses make with text messaging compliance, including “mistakenly assuming that just hiring a third party to send out the texts shields their business from liability.” When using a third-party texting service, businesses remain responsible for their message content. Olexa also warned companies against assuming their business’s general liability insurance coverage will apply to any statutory violation, which is often not the case.

“Using vendors to manage your marketing text communications can be helpful, but you need to do proper diligence and have a protective agreement in place,” Chander advised.

Skye Schooley and Sean Peek contributed to this article. Some source interviews were conducted for a previous version of this article.