For ecommerce brands, it’s the most wonderful time of the year. There is no bigger event in the industry than BFCM, and the best part about BFCM is how this once two-day holiday (Black Friday followed by Cyber Monday) has evolved beyond the Cyber 5 (Thanksgiving to Giving Tuesday) to an entire season of holiday shopping, flash sales, deals, coupons replaced by CashBack and compliance. 

While compliance isn’t as fun as planning those campaign sends, compliance rules and regulations exist to protect consumers and preserve the long-term value of SMS as a marketing channel. 

These requirements fall into two categories: legal requirements (TCPA & state-specific) and industry requirements (carriers). Not following legal requirements can lead to expensive lawsuits, while not following industry requirements can lead to your texts being filtered (i.e., not reaching the end consumer), additional restrictions on sending opt-out directions, or your program being shut down. 

First, always ensure you follow the rules outlined by the Telephone Consumer Protection Act (TCPA). 

• Only text customers where you have obtained consumer consent. This means that consumers have to opt in and know the terms of joining your SMS program (i.e., make sure you display your compliance disclosure language at all opt-in points). 

• Support opt-out requests- If someone doesn’t want to continue receiving texts, they should be removed from your program. 

• Honor quiet hours- The federal TCPA suggests that messages be sent only between 8 a.m. and 9 p.m. (waking hours). These hours vary by state (more on that shortly).

Next, make sure your program is following any state-specific requirements. Currently, there are three states (soon to be four) with their own mini-TCPA regulations: Florida, Washington, and Oklahoma, but by the time the holiday season is over, there will be two more states with their own rules in place: Connecticut and New Jersey. And you can ring in the New Year with the addition of Maryland.

Most state regulations add similar restrictions: increasing quiet hours and potentially adding message caps (i.e., a limit on the number of messages within a rolling 24-hour window), but some states, like New Jersey, have unique requirements. 

Florida requirements:

• Longer quiet hours (reducing waking hours to 8 am to 8 pm local time)

• More restrictions on what messages are allowed during quiet hours

• Limit of 3 messages within 24 hours for a specific campaign or product

Note: Florida statute requires all numbers to be able to receive voice callbacks on the number sending the message (not all phone numbers support incoming calls, which is why this particular piece of legislation has been under review). 

Oklahoma requirements:

• Longer quiet hours (reducing waking hours to 8 am to 8 pm local time)

• Limit of 3 messages within a rolling 24 hour

Note: Oklahoma also has the same requirement of being able to call the number where a text message was sent from.

Washington requirements: 

• Longer quiet hours (reducing waking hours to 8 am to 8 pm local time)

Connecticut requirements in effect on October 1, 2023: 

• Longer quiet hours (reducing waking hours to 8 am to 8 pm local time)

New Jersey requirements in effect on December 1, 2023:

• Longer quiet hours (reducing waking hours to 8 am to 8 pm local time)

• Brands must include their mailing address in each message (more on this shortly, but don’t worry, there are ways to handle this without making your texts really long)

Maryland requirements in effect January 1, 2024: 

• Longer quiet hours (reducing waking hours to 8 am to 8 pm local time)

• Limit of 3 messages within a rolling 24-hour window

Finally, you’ll want to ensure you follow industry requirements/best practices. These rules get a bit more complicated and granular since they mix hard requirements and best practices. Here are the things to keep in mind that aren’t already covered by the TCPA

• Texts should include your organization’s name.

• Compliance disclosure language should include links to your terms of service and privacy policy.

• Send an opt-in confirmation (that first message after a subscriber opts-in should confirm their opt-in and include how to opt-out and how to get help). 

• Provide customer support information (if someone replies “help,” they should get a message back on how to get assistance. i.e., HELP for help).

• Collect email and phone numbers separately (different pages on your pop-ups or other submit buttons on a landing page).

• Limit abandoned cart reminders to one per shopping cart event within 48 hours.

• Unless your program has proper gating and prior carrier approval, avoid SHAFT content (Sex, Hate, Alcohol, Firearms & Tobacco including vape, cannabis & CBD)

• Phone numbers used to send texts in the US need to go through carrier verification.

It’s best to account for all requirements, including what might be considered a best practice. These rules can be subjective and can change from best practices to hard rules without a lot of notice. Running an SMS program while trying to account for what is allowed on some carriers is not only time-consuming but potentially problematic if you don’t get everything exactly correct. Getting in trouble with any of the big 3 US carriers could put your BFCM success at risk. You don’t want to get filtered or shut down during this peak season. 

If you’ve reached this point and are feeling a little overwhelmed, we feel you. The legal requirements alone can be a lot to manage manually (especially if you factor in that some states are in more than one time zone). But read on for some simple ways to cover your bases.

For brands on Postscript, before you feel completely overwhelmed, most of the tools you need are built right into the platform. But there are several things you’ll want to keep in mind over the course of the holiday season and beyond. 

Remember to tell your customers how to opt out of your SMS program at least once a month. If you are counting your characters, you can stick with the classic “Stop to Stop” at the end of your message. Or if you want to keep things more conversational in tone (great opportunity to maximize the 1,600 characters if you send an MMS), Fly By Jing keeps its spicy tone in their sunset flow if you need creative inspiration.

Remember, you don’t have to make this a stand-alone text; you just have to make sure customers are informed at least once a month on how to stop receiving texts.

Just a quick note: this particular topic gets a lot more complicated on December 1st when New Jersey’s legal changes go into effect and require a brand’s mailing list in each message. To help brands address these new requirements (and watch those precious, precious characters), the Postscript platform will include a feature to generate a landing page that has all of the required business information and include a link to access that in all texts sent to New Jersey subscribers starting on November 30th. 

To be fully TCPA compliant, the opt-in disclosure must be positioned close to the CTA button. There cannot be any large gaps or images separating the opt-in CTA from the compliance disclosure language, and you should also use an asterisk at the end of your CTA to indicate to the reader that there are relevant disclosures/consent language that they should read. What you need to keep in mind will vary depending on how you grow your subscriber list. 

Opt-in points managed by Postscript, such as pop-ups, landing pages, and check out, all have the compliance disclosure language built-in (with links to quickly access TOS & privacy) and follow best practices. But when you gather subscribers in other places like email, social, QR codes, etc., you need to ensure that you include the compliance language if a subscriber is opt-in off your website. 

For example, if you have an opt-in keyword in a social media post, you would also need to include the compliance language (with the URLs to your TOS & privacy page written out if you are limited on the number of links), but if your social media post instead linked to an opt-in on a Postscript-created landing page, you wouldn’t need the compliance language within the social post, itself, because compliance language is included on the landing page.

Be sure to keep records of your opt-in sources (especially for subscribers gathered off your website) for future reference. When you take a screenshot of your Facebook post or keyword on your packaging, make sure you can see the compliance language. You can learn more about some of the tricky questions around gathering subscribers here. 

The last thing to keep in mind during BFCM is that your subscribers will be traveling. To provide the best possible subscriber experience, you’ll want to keep that in mind. 

No matter how you celebrate the holiday season, taking those few extra steps to ensure compliance will help you avoid both expensive lawsuits/demand letters and keep your SMS program running smoothly (avoiding the risk of filtering or having your program shut down during peak season). 

On a compliance-first platform like Postscript, checking your BFCM compliance list will still leave you enough time to catch your favorite holiday movie. Personally, I’ll be watching a Muppet Christmas Carol, and don’t forget:

It is the season of the heart

A special time of caring

The ways of love made clear

And it is the season of the spirit

The message, if we hear it

Is make it last all year

- The Muppet Christmas Carol, 1992

Be sure to take that “make it last all year” to heart when it comes to compliance. Not on a compliance-first platform like Postscript yet? Book a demo, and we’ll get you up and running in no time. 

Get in touch with our team here.