07
Compliance8 min read

SMS Marketing Compliance: What Small Businesses Need to Know About TCPA

The Telephone Consumer Protection Act applies to every business that sends marketing text messages, regardless of size — and non-compliance carries real financial risk, from $500 to $1,500 in statutory damages per violation.

This article is general education, not legal advice. TCPA enforcement and carrier rules change; consult a qualified attorney before finalizing your SMS opt-in and compliance process.

SMS is one of the most effective channels a small business has — and one of the most tightly regulated. Unlike email, where the rules (largely governed by CAN-SPAM) are relatively forgiving, text messaging falls under the TCPA, a federal law with real teeth and no small-business exemption. Getting the basics right isn't optional, but it also isn't complicated once you understand the core requirements.

The core rule: prior express written consent

Before you send a single marketing text, you need documented consent from that specific person, for your specific business. This consent has to be affirmative — a pre-checked box doesn't count, and consent gathered for one purpose (like appointment reminders) doesn't automatically extend to promotional marketing texts. The consent needs an equivalent of a signature, which can be electronic: checking an unchecked box on a form, clicking a clearly labeled submit button, or texting a specific keyword to opt in.

What a compliant opt-in actually needs to say

A valid opt-in disclosure, shown to the customer before they consent, must include:

Keep a record of exactly when, where, and how each person opted in — this documentation is your primary defense if consent is ever challenged.

$500–$1,500

Per violation in statutory damages for non-compliant SMS marketing — and each individual text sent without proper consent can count as a separate violation.

Source: TermsFeed, TCPA Express Written Consent Guide

Opt-out rules changed in 2025 — and this trips businesses up

As of April 2025, the FCC updated its consent revocation rule: businesses must honor opt-out requests made through any reasonable channel, not just a "STOP" reply to a text. That means if a customer tells an employee in person, emails your business, or says it over the phone that they want to stop receiving texts, that request counts and needs to be processed — generally within 10 business days, though real-time processing is quickly becoming the practical standard. A system that only removes people who text back "STOP" is no longer sufficient on its own.

There's no small-business exemption

A common and costly misconception: TCPA only applies to large companies with call centers and mass texting operations. It doesn't. The law applies identically to a single-location boutique texting 200 people and a national retailer texting 2 million. Business size affects your risk exposure and visibility to regulators, not your legal obligation.

A simple compliance checklist

Why this matters beyond avoiding fines

Compliance isn't just risk management — it's also what makes SMS marketing sustainable as a channel. A business with clean opt-in practices has a list of people who genuinely want to hear from them, which means better engagement, lower opt-out rates, and a program that keeps performing instead of degrading. Cutting corners on consent doesn't just create legal exposure; it usually produces a worse list, too.

10DLC registration: the piece businesses forget

Beyond opt-in consent, US carriers require businesses sending SMS marketing through standard 10-digit long codes to register through a process commonly called 10DLC (10-Digit Long Code) registration. This isn't optional paperwork — unregistered traffic increasingly gets filtered, delayed, or blocked outright by carriers, meaning your carefully written win-back text might simply never arrive. Most reputable SMS platforms handle this registration process as part of onboarding, but it's worth confirming directly rather than assuming it's automatic, since registration typically takes days to a couple of weeks to clear.

Mixing transactional and marketing messages: a common gray area

Appointment reminders, order confirmations, and shipping updates are generally treated as transactional messages under a more lenient standard than marketing texts, since they're tied to a specific existing transaction rather than a promotional push. The gray area appears when a business tries to slip a promotional line into what's framed as a transactional message — "Your appointment is confirmed for 2pm! P.S. don't forget our sale this weekend." Regulators and carriers increasingly scrutinize this blending, and the safest practice is to keep transactional and promotional messages clearly separated, with separate consent where required.

What happens if a complaint or violation actually occurs

If a customer files a complaint or a TCPA claim arises, the business's documented opt-in records become the central piece of evidence. This is why keeping a timestamped log — who opted in, when, through what specific form or keyword, and what disclosure language they saw — matters more than almost any other part of the compliance process. Businesses that treat this documentation as a footnote rather than a core requirement are the ones left exposed when a dispute actually happens.

Building compliance into the culture, not just the software

Software and platforms can enforce a lot of this automatically, but the human side matters too — train any employee collecting sign-ups in person (at an event, at the register) on exactly what needs to be said and shown before someone opts in. A rushed, verbal-only sign-up at a busy event without the proper disclosure is one of the most common compliance gaps we see, precisely because it happens outside the neatly controlled environment of a website form.

Frequently asked: does this apply to a single follow-up text, or only bulk campaigns?

It applies to any marketing text sent using an automated system, regardless of volume — a single automated promotional text to one person still requires the same documented consent as a campaign sent to thousands. The law is triggered by the use of an "automatic telephone dialing system" or similar automated platform for marketing content, not by send volume. A genuinely one-off, manually typed and sent text from an employee's personal phone sits in a different (though still not risk-free) category, but any message sent through a marketing SMS platform should be treated as requiring full compliance, whether it goes to one person or ten thousand.

Choosing a platform that handles compliance responsibly

Not every SMS tool is built with the same level of compliance rigor. When evaluating a platform, look for built-in 10DLC registration support, automatic opt-out processing across STOP-style keywords, clear audit logs showing when and how each contact opted in, and documentation or support around consent language. A platform that treats compliance as a core feature rather than an afterthought meaningfully reduces the operational burden of staying compliant as your list grows — this is one area where the right tool genuinely does most of the heavy lifting, provided you still handle your side (collecting and documenting consent properly) correctly.

Key takeaway

TCPA requires documented, specific, written consent before any marketing text — with no exemption for small businesses. Keep records, honor opt-outs from any channel within days, and treat compliance as part of building a healthy list, not just a legal formality.

← Back to all posts