Text Message Laws Every Business Needs to Follow

SMS compliance basics: federal regulations to know

Several federal agencies, regulators and industry groups help shape the rules around telemarketing communications. While core laws like the TCPA have been in place for decades, FCC rules, court interpretations and carrier requirements continue to evolve as technology and marketing practices change. 

Here are some regulations every business should know.

Telephone Consumer Protection Act (TCPA)

The TCPA is the primary telemarketing law in the United States. Passed by Congress in 1991 and governed by the Federal Communications Commission (FCC), the TCPA has been updated and interpreted through rule changes and court decisions to address unsolicited text messages and phone calls. It emphasizes consumer privacy through the following measures:

• Auto-dialer restrictions: The TCPA restricts certain marketing calls and text messages sent using an auto dialer, formally known as an automatic telephone dialing system (ATDS), or prerecorded messages without the recipient’s consent.
• Identification: Commercial entities must identify themselves in each communication and state their reason for contact clearly.

• Hours of operation: Communication must occur between 8 a.m. and 9 p.m. in the consumer’s local time zone.
• Opt-out functions: Businesses must honor opt-out requests, whether a customer replies with a standard keyword like “STOP” or uses another reasonable method to clearly communicate they no longer want to hear from you. In most cases, that request must be processed within 10 business days.
• Prior express written consent: Before sending automated marketing text messages, businesses must obtain clear, documented written consent from recipients. Consent should be specific, easy to verify and separate from purchase history, prior business relationships or verbal conversations. (More on this below.)

Express written consent

Express written consent (as required by the TCPA and interpreted through FCC rules) documents a customer’s permission to receive marketing text messages from your business. The request for consent must meet the following criteria in writing:

• Explain why the business is requesting the customer’s contact information.
• Provide a clear estimate of how often customers will receive messages and explain the content of those messages.
• Give customers access to the full terms and conditions of their consent, either directly or through a hyperlink.
• Require customers to affirm their agreement, such as by clicking “I consent” or selecting “yes” to sign up.
• Allow customers to opt out of receiving messages at any time and for any reason, including through standard keywords like “STOP” or any other reasonable method that clearly communicates their intent.
• Inform customers that standard messaging and data rates may apply.

Brian Wilson, chief commercial officer at Abridge and former chief revenue officer of SlickText, emphasized the critical importance of obtaining full, express written consent.

“The most common mistake we see is not receiving prior consent,” Wilson explained. “If there’s one central rule around compliance with federal regulations, it’s to receive consent from the individuals you are going to be messaging.”

CAN-SPAM Act

The Federal Trade Commission (FTC) enacted the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) in 2003 to establish rules for commercial email communications. The Act governs unsolicited commercial emails and includes requirements for opt-out mechanisms, accurate subject lines and clear sender identification.

Not every business message under the CAN-SPAM Act is treated the same. Order confirmations, shipping updates and similar service-related texts or emails usually aren’t viewed the same way as promotional campaigns, so businesses can typically send them without separate written marketing consent. They still need to include the right disclosures, though, and customers must have a clear way to opt out of future messages.

The CAN-SPAM Act mainly applies to email marketing, but the same ideas around transparency and consumer choice show up across all digital marketing strategies. Text marketing follows a different set of rules and falls mainly under the TCPA. If an SMS campaign crosses into deceptive or misleading territory, the FTC can step in, too.

Other text message compliance rules to know

Federal laws like the TCPA and CAN-SPAM Act lay the foundation for SMS compliance, but they’re only part of the picture. Depending on where your customers live, how you collect consent and which messaging platforms or carriers you use, your business may need to follow additional industry guidelines, state regulations and international privacy laws.

Industry guidelines: CTIA and carrier recommendations

The Cellular Telecommunications Industry Association (CTIA) is a national trade group that represents the wireless communications industry. While it doesn’t create laws, mobile carriers rely heavily on its messaging standards and may suspend or block SMS campaigns that don’t comply.

Its Messaging Principles and Best Practices document helps carriers, messaging platforms and businesses set expectations around consent, message frequency, content standards and consumer opt-out rights. It also reinforces many of the compliance practices businesses already follow under the TCPA and CAN-SPAM Act.

Key CTIA requirements include:

• Message frequency limits to help prevent customer fatigue and complaints
• Clear consent documentation that meets both TCPA and carrier standards
• Prohibited practices such as misleading content, excessive frequency, missing opt-out instructions or restricted SHAFT-related content involving sex, hate, alcohol, firearms or tobacco without proper safeguards
• Carrier approval processes for high-volume campaigns through platforms like The Campaign Registry (TCR)

Following CTIA guidelines has become essential for SMS deliverability. Carriers can suspend short codes, reject campaigns or block senders that repeatedly violate these standards.

International laws and regulations

Consumer privacy laws don’t stop at U.S. borders. If your business sends marketing messages to customers in other countries, you may need to comply with local privacy and consent requirements regardless of where your company is based.

One of the best-known examples is the European Union’s General Data Protection Regulation (GDPR), which is widely considered one of the world’s strictest privacy laws. In addition to requiring express consent, the GDPR requires businesses that collect or store European customer data to follow six core data protection principles:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

Meeting these requirements often means investing in stronger data security practices, documentation and legal oversight.

Europe isn’t the only market with strict messaging and privacy rules. For example, Canada enforces its own rules under Canada’s Anti-Spam Legislation (CASL). While CASL is often associated with email marketing, it also applies to SMS and other electronic communications. Businesses must obtain valid express or implied consent, maintain clear records and make it easy for recipients to unsubscribe from future messages.

If you’re unsure whether your campaigns meet U.S. or international compliance standards, consult a qualified business attorney.

State-level text message laws

Federal laws like the TCPA set the baseline for SMS compliance, but a growing number of states have added their own “mini-TCPA” laws, creating another layer of rules for businesses to navigate. States such as California, Florida and Washington, among others, impose requirements that go beyond federal law.

A few recent examples stand out:

Texas Senate Bill 140 (SB 140)

One of the biggest recent shifts came out of Texas. When Texas Senate Bill 140 took effect on September 1, 2025, it expanded the state’s telemarketing rules to cover promotional text messaging. The law applies to businesses that text Texas residents — even if the business itself is based somewhere else.

For businesses that send unsolicited marketing texts, key requirements under Texas SB 140 may include:

• Registration with the Texas Secretary of State and posting a $10,000 bond, though consent-based opt-in programs may be exempt under recent legal guidance
• Annual renewal with a $200 fee
• Messaging hour restrictions, including no promotional texts after noon on Sunday, in addition to standard overnight quiet hours (9 p.m. to 9 a.m.)
• Additional disclosure requirements, including the business’s name, address and purpose
• Limited exemptions that generally apply only to current or former customers of businesses operating under the same name for at least two years

Other notable state laws

Texas isn’t the only state tightening text message compliance. A growing number of states now impose rules that go beyond federal requirements:

• Arizona, Connecticut, Florida, New Jersey, Oklahoma, Washington and Wisconsin require explicit consent before businesses text consumers.
• California requires clear opt-in and opt-out disclosures before businesses send promotional text messages.
• Florida requires clear opt-out methods and generally requires businesses to stop sending messages within 15 days of an opt-out request.
• Connecticut requires prior express written consent and allows fines of up to $20,000 per violation.
• Oklahoma limits businesses to three text messages on the same topic within 24 hours and enforces an 8 a.m. to 8 p.m. messaging window.
• Virginia treats unsolicited commercial text messages as telephone solicitations under its state do-not-call rules.

Quick reference table: federal vs. state vs. carrier rules

Federal laws, state regulations and carrier guidelines don’t always line up exactly, which can make SMS compliance feel more complicated than it needs to be. Use this quick reference chart to see how some of the most common requirements compare.

Best practices for SMS compliance

The potential for fines and compliance headaches might make some businesses think twice about SMS marketing, but text messaging is still one of the most effective ways to reach customers. The key is building compliance into your process from the start. Here are several ways to meet SMS marketing requirements while still running effective campaigns.

1. Include all information necessary for express written consent.

Use the express written consent guidelines above to make sure your opt-in form, signup page or consent workflow includes all required information before you send a subscriber their first marketing text. That typically includes:

• Business name
• Reason for messaging
• Message frequency
• Rates disclaimer
• Link to your privacy policy and terms
• Opt-out instructions

Kanika Chander, lawyer and owner of Cloudbreak Legal, emphasized the importance of getting consent right.

“Unlike email marketing, marketing via text requires express opt-in consent,” Chander explained. “The consent must contain specific language [and] companies must be able to comply with requirements for how to opt customers out if/when they request.”

Here’s a simple template to get you started:

“Hi [Name], thanks for signing up for the [Company] Summer Sale! We’ll send you personalized deals every week. Up to 4 msgs/month. Msg & data rates may apply. Reply HELP to review terms, STOP to cancel.”

Note that while “STOP” remains the most common opt-out keyword, businesses must also honor other standard unsubscribe requests — or any other reasonable method a customer uses to clearly communicate they no longer want marketing messages.

2. Use keyword shortcodes.

A keyword shortcode is a word or phrase customers can text to a designated number to sign up for your text messages. Businesses often promote these keywords on websites, in stores, on social media or at live events to make joining an SMS list quick and easy.

The keyword itself isn’t what creates consent. The call to action around it does. To hold up under TCPA, CTIA and carrier standards, your opt-in language should clearly explain what customers are signing up for before they ever send that first text.

That disclosure should include:

• Your business name
• The purpose of your messages
• Estimated message frequency
• Message and data rate disclosures
• Links to your privacy policy and terms
• Clear opt-out instructions

Once customers see those disclosures and text back with the keyword, you have a much stronger record showing they knowingly signed up for your SMS marketing program.

3. Consider a double opt-in.

A double opt-in adds an extra layer of protection and is often considered one of the safest ways to document consent for SMS marketing. After a subscriber shares their phone number, send a follow-up text asking them to confirm their subscription by replying “yes” or “no.”

That extra step helps verify that the customer intended to sign up and creates a stronger record of consent if questions ever come up about how someone joined your list.

Wilson offered another practical use case for double opt-in:

“Any time companies have a certain age level or verification they want to do with an individual … they may want to use a double opt-in to understand how old the person is before [they] agree to include them in [their] text marketing list,” Wilson advised.

4. Maintain your commitments.

Text message campaigns often generate some of the highest open rates in marketing. In fact, according toEZ Texting’s 2025 Consumer Texting Report, marketing-related texts have an average open rate of 98 percent. That kind of engagement can tempt businesses to send more messages, more often, but pushing too hard can backfire fast. Customers who feel bombarded are more likely to unsubscribe, file complaints or start viewing your messages as spam.

That’s why message frequency matters. If you promised four texts a month during the opt-in process, stick to it. Staying consistent with the expectations you set — and resisting the urge to over-message when a campaign is performing well — helps protect your compliance, your deliverability and your brand reputation.

5. Provide an incentive to sign up.

Customers are far more likely to share their phone numbers when there’s a clear benefit in return. That could mean exclusive discounts, limited-time offers or useful service updates like delivery tracking, appointment reminders or real-time alerts.

The easier it is for customers to understand what they’re getting — and why it’s worth signing up — the easier it becomes to earn meaningful, compliant consent. Think about the brands you actually opt into. Chances are they offer something timely, useful or hard to get anywhere else. Your business should do the same.

6. Use dedicated SMS marketing software.

Dedicated SMS marketing software can make it much easier to scale your messaging program while keeping compliance top of mind. The best text message marketing services include built-in tools for managing consent, automating opt-outs, segmenting subscribers and documenting customer activity, all of which can make compliance easier as laws, carrier standards and platform requirements continue to evolve.

These platforms can also support other parts of your business, from customer service and payment reminders to appointment confirmations and shipping updates. No software can replace good compliance practices, but the right SMS platform can help you stay organized, document consent and reduce the risk of costly mistakes.

Penalties for noncompliance

Even businesses with solid opt-in practices can run into trouble with compliance issues. Federal fines can add up fast, state penalties can pile on more, and something as simple as a vendor mistake can turn into a very expensive problem.

Federal TCPA penalties

Under the TCPA, businesses may face $500 in damages for each noncompliant text message — not per campaign. If a violation is found to be willful or knowing, that amount can jump to $1,500 per message.

“Under TCPA violations for noncompliant companies can be $500 to $1,500 per violation, which could mean per noncompliant text message. These can really add up,” Chander said. “There’s no cap on damages, so class actions or active plaintiffs’ lawyers pose a big risk in this area.”

To see how quickly those numbers can grow, imagine an SMS campaign that illegally reaches 1,000 contacts. That could expose a business to at least $500,000 in damages. If those violations are found to be intentional, the potential liability jumps to $1.5 million — and that’s assuming only one message per recipient.

State-level penalties

Federal TCPA damages are often just the starting point. Many state “mini-TCPA” laws can add another layer of exposure, and in some cases, state penalties may stack on top of federal damages.

For example, Connecticut allows fines of up to $20,000 per violation, while Texas Senate Bill 140 may expose certain noncompliant campaigns to additional damages under state consumer protection laws.

That means a campaign that violates both federal and state rules can become significantly more expensive than TCPA penalties alone.

Other compliance risks

The financial risk doesn’t stop with fines. Businesses can also face consumer lawsuits, class action claims, state or federal enforcement actions, and reputational damage if customers report unwanted or misleading text messages.

Another common mistake is assuming a third-party texting vendor absorbs that risk. Garrett Olexa, vice president of legal affairs at Sun Health, cautioned that some businesses mistakenly assume that just hiring a third party to send out the texts shields their business from liability. In most cases, it doesn’t. Even when you work with an outside texting platform, your business is still responsible for message content, consent records and compliance. General liability insurance coverage for statutory violations may also be limited or unavailable.

“Using vendors to manage your marketing text communications can be helpful, but you need to do proper diligence and have a protective agreement in place,” Chander advised.

Skye Schooley and Sean Peek contributed to this article. Source interviews were conducted for a previous version of this article.