Legal Compliance Checklist hero 041521

CTIA & TCPA Compliance

What you need to know to avoid a multi-million dollar SMS marketing fine

So, you want to be one of the innovative companies out there using SMS and text message marketing to connect with customers and prospects and grow sales. Even a moment of research into the topic, and you’ll begin to see four very, very important letters mentioned often: TCPA.

The TCPA is an incredibly important law that you, or your marketing team, need to know inside and out before you get started with SMS marketing. Why? Because not knowing what it is can cost you millions (and has for large brands). 

There is good news, though! Following the TCPA is pretty easy—especially if you know what it is, and you choose a technology or SMS marketing tool that helps make sure you are covered. 

All right, let’s get you caught up on this need-to-know law.

In this article (click to jump to a specific section):

What is TCPA and how does it apply to SMS messaging and SMS compliance?

The Telephone Consumer Protection Act (TCPA) went into effect in 1991. It covers unsolicited calls and texts to cell phones, protecting consumers from unregulated use of their personal information. 

Nearly 30 years later, brands of all shapes and sizes are looking to SMS marketing as a way to get in front of their customers. That’s because text messages have a near 100% read rate. Let’s take a sample size of one: How many text messages do you have on your phone right now that are unread? 

That near 100% read rate is so much higher than email marketing, where a good average open rate is 20%, and click rate is about 2-5%. Yikes. 

This makes SMS marketing a great channel for so many brands to talk to customers and prospects. But, there are rules and regulations in place to protect each of us. 

Section 4 and 5 of the TCPA’s definition are what apply most to brands looking to use SMS marketing:

  • (4) The term “telephone solicitation” means the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person, but such term does not include a call or message (A) to any person with that person's prior express invitation or permission, (B) to any person with whom the caller has an established business relationship, or (C) by a tax exempt nonprofit organization. 

  • (5) The term “unsolicited advertisement” means any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person's prior express invitation or permission, in writing or otherwise. 

Again, the TCPA’s goal is to protect consumers and businesses from unsolicited advertisements. For brands, this means that you cannot send unsolicited marketing text messages to consumers unless they voluntarily give their information to you via a website where it is made clear what their information will be used for.

Sounds pretty simple right? And it is! Except for unsubscribes, and a variety of other guidelines and rules. Don’t worry, we’ll dive into each of them.

What are the penalties for violating TCPA regulations?

Okay, so what happens if you break the law and violate TCPA regulations? Great question! 

You will be fined. A lot. 

Fines are usually up to $500 per violation, and they are the most common punishment for non-compliance. Certain violations can climb up to $1,500. That's potentially $1,500 per text message you send to a customer who either:

  • Did not opt-in to your SMS marketing

  • Unsubscribed, but wasn’t taken off your list

Any and all unsolicited calls or texts qualify as TCPA violations.

A variety of companies—large and small—have been hit with TCPA violation class action lawsuits. They include brands like ADTSquare, a Denver-based cannabis dispensaryJiffy Lube, and Microsoft

For Microsoft, the court ruled in favor of the company in 2015, which is good news for SMS marketers. From the ruling, however, brands must make it clear to consumers when they collect their phone number information that they will be sent SMS marketing. 

This is why it is so important to add SMS marketing terms and conditions to your website. 

In general, one text message to a consumer that is in violation of TCPA is not considered high enough volume for a lawsuit. 

Beyond that, however, you could get yourself into hot water, which is exactly what happened to Jiffy Lube. Their TCPA violation class action lawsuit resulted in a fine of $47 million

These kinds of fines are one big reason why so many companies have opted in favor of short codes, allowing consumers to clearly opt-in via a short code they can text to a specific number. 

But, short codes were created by the CTIA (another acronym!) and they have guidelines all their own.

CTIA Guidelines

The CTIA stands for the Cellular Telecommunications Industry Association. It is a trade association for wireless carriers and others that operate in the mobile space. CTIA created the common short code system, which is one of the primary ways of sending SMS marketing messages to consumers. 

As part of that short code system, the CTIA established guidelines for short code-based SMS marketing programs. They enforce those guidelines through regular audits. If the CTIA finds that you are not in compliance with their guidelines, they will report you to the mobile carriers, which may then shut down or suspend your SMS marketing program until the issue can be resolved. 

What are in these guidelines? Well, the guidelines contain rules about what consumers must be told within your messages. For instance, that message and data rates may apply, how to get help and/or stop messages from coming in, how often the customer can expect to get messages from the company, links to terms and conditions, as well as privacy policies, and more. 

The CTIA’s guidelines are not law, like the TCPA. However, a violation can cause your program to be shut down. No fines are involved.

How can businesses be compliant with CTIA and TCPA guidelines?

All right—so now that you have a good understanding of the TCPA and CTIA as well as their individual powers to either fine your organization or shut off your SMS marketing program, let’s chat through how to make sure none of that ever happens. 

There are two main rules for sending SMS marketing messages:

  • Only send to consumers who have opted in specifically for this kind of marketing

  • If/when consumers want to unsubscribe, let them! 

That’s about it, though there are nuances of course. Let’s dive in.

There are quite a few ways consumers could opt-in to your SMS marketing program. You’ll need to make sure that for each of these various opt-in points, you are being clear with the consumer about how you will use their information. 

Here are a few ways you can collect their phone number, and what you might need to have prepared to make sure they are properly informed in line with TCPA:

Website pop-up: This is one of the most common ways to collect phone numbers for SMS marketing. Be sure to have a link to your terms of service, where you should have updated information about your SMS marketing practices.

Also, be sure you make it clear to consumers when gathering their phone number here that it will be used for marketing purposes, that they can opt-out at any time, and that you never share their information with anyone.

Finally, if you collect both emails and phone numbers via pop-up, make sure you have separate pop-up screens for each. In other words, subscribers cannot enter both phone and email information on the same pop-up screen. Note that this guidance applies to any form or landing page where you collect contact information. Phone and email collection must always occur separately.

This is a beautiful example from JUDY of an SMS capture pop-up.

This is a beautiful example from JUDY of an SMS capture pop-up.

Keywords: Many brands use keywords to collect SMS opt-ins. This is a great option for driving subscriptions via external sources like social media. For example, you might launch an Instagram story inviting followers to text you a particular keyword to subscribe (as shown below). Or you might run a Facebook ad with a similar keyword-focused CTA.

With these collection points, it’s important to include the necessary compliance language and link to your terms of service and privacy policy.


Ecommerce checkout: Ecommerce platforms like Shopify make the collection of SMS numbers at checkout incredibly easy, and common. Many consumers opt-in here expecting shipping and delivery SMS updates.

Be sure that if you are going to use these numbers for SMS marketing as well, that you are clear about that at checkout. For most Shopify stores, the generic language only explains that their number will be used for shipping and delivery updates. It is worth it to be overly clear and communicative here.

What an SMS pop-up during checkout can look like. This example is from Hydrant.

What an SMS pop-up during checkout can look like. This example is from Hydrant.

If you collect opt-ins on the checkout screen itself (as shown in the example below), there are a few more requirements to note. Make sure phone and email collection fields are completely separate and that each has its own opt-in checkbox. Additionally, do not pre-check that box. Finally, be sure to include the required compliance language and link to your terms of service and privacy policy.

checkout compliant

Another example of what capturing SMS at checkout may look like. This example is from RugsUSA.

Another example of what capturing SMS at checkout may look like. This example is from RugsUSA.

Email marketing: You might be thinking it’d be a good idea to see if folks on your newsletter list would like to join your SMS marketing list. It is a pretty good idea! Just be sure not to opt them in without them knowing (we’ll cover that in a bit).

You can even use smart links in email for a “click to text” option that pulls up a consumer’s text message tool on their computer or mobile phone to send a quick short code and opt-in. Be sure in that email to make it clear how consumers can opt-out once they are opted in and what you will use SMS marketing for.

This example from Express shows you a tap to text option, and was found in their email newsletter. Notice the asterisk and information there? Yep –– they are TCPA and CTIA compliant!

This example from Express shows you a tap to text option, and was found in their email newsletter. Notice the asterisk and information there? Yep –– they are TCPA and CTIA compliant!

The above example from Express shows you a tap to text option, and was found in their email newsletter. Notice the asterisk and information there? Yep—they are TCPA and CTIA compliant!

Click to text: You can use click to text in email marketing, as mentioned above, but also really just anywhere. Perhaps your site drives traffic that comes mostly from mobile phones, and many of them are reading your blog.

It might make sense in there to have folks click to text short codes to opt-in for updates about new blog posts, or new reviews, or anything really that makes sense for your brand and what that consumer is looking for. Just be clear, similar to all the other options here, in how consumers can opt-out and what kind of information you will be sending them. (Example of this above!)

Gated piece of content: Many brands create checklists, online courses, or a variety of other assets and offer them for free with the exchange of an email or phone number. Cool!

Just be sure that if you are asking for a phone number, you can clear in your messaging what that number will be used for. Also, be sure that your first message—a.k.a. your confirmation message—to them includes a link to the asset they were trying to get.

The golden rule pays off in dividends in these scenarios. What kind of information would you want to have sent to you from a brand, and what kind of heads up would you think appropriate?

This example is from <a href="">NaturAll Club</a>, and appears at the end of their online hair quiz. Want your results? Enter your number (and get 10% off!).

This example is from NaturAll Club, and appears at the end of their online hair quiz. Want your results? Enter your number (and get 10% off!).

Handset: If you have a sales team, customer service teams, or even just allow for folks to call in, be sure you have a script or verbiage ready for those employees to capture phone numbers for your SMS marketing campaigns. Also, be sure that the script includes language that explains to the consumer what their number will be used for, and that they can opt-out anytime. 

POS system: If you also run a brick-and-mortar shop, or ever do any kind of pop-ups and use a POS system, you can collect SMS numbers through checkout. Here, you should do two things:

  1. Have a script (or have your employee trained to ask customers if they would like to be added to the SMS marketing list).

  2. Have the customer check a box or confirm that on the POS system itself as they check out.

Hold on, can’t I just use this list of customer phone numbers I already have? 

No. Absolutely you can not. You must have consent from the consumer before you opt them in to any SMS marketing campaign. That is, the consumer must know that they will be getting a text from you because they agreed to have that marketing text sent to them. 

What happens if you ignore that law? Let’s do the math… 

Say, you have 5,000 people on your email newsletter list and you want to send out a new SMS marketing campaign to them. Say, you have three text messages in that campaign over the course of a week. 

So, that gets you 15,000 texts to 5,000 people. Your fines for doing so could amount to $7,500,000 on the low side to upwards of $22,500,000.

Can your business afford that? Will those three texts generate that much revenue? No. The answer is no. 

Do not just send an SMS marketing campaign to folks who have given you their phone number information without them specifically signing up for SMS marketing. 

Remember: Customers are giving you access to their most personal and private device — their mobile phone number. Use this privilege wisely, respect people’s privacy, and treat others as you wish to be treated (the golden rule).

All of that being said, if you have a list of customers who have compliantly opted into receiving SMS and you’d like to upload that list to your SMS marketing platform, you can absolutely do that. This is a common scenario when switching from one platform to another.

To learn more about how Postscript handles uploads for compliantly collected subscriber lists, check out this resource.

2. Managing unsubscribes in compliance with TCPA and federal law

Similar to email marketing, you are required to allow consumers to unsubscribe or opt-out of your SMS marketing. Unlike email marketing, there isn’t an easy link they can click in your SMS messages that allows them to do that. 

Instead, most consumers simply respond to a text saying, “Stop,” “No,” “Don’t message me,” “Unsubscribe,” or whatever else makes the most sense to them. This creates what is known as fuzzy opt-outs—when a consumer tries to opt-out of text message marketing using whatever terms they want. 

There are easy words to predict consumers might use. And then, there are misspellings, and a whole host of other potential fuzzy opt-out options. 

And letting consumers opt-out is a key part of federal law around SMS marketing. So, you need to have a tool that can recognize all fuzzy opt-out language and successfully opt those consumers out when they ask (or pay a serious price). 

Here are just some of the fuzzy opt-out terms Postscript recognizes:

  • STOP

  • stpop

  • stpo

  • end

  • unsubscribe

  • cancel

  • do not text

  • do not call

  • don't text

  • don't call

  • take me off

  • wrong number

  • remove me

  • ***k you

  • ***k off

  • eat ***t

  • do not contact

  • don't contact

  • do not message

  • stop texting

  • stop ****ing texting

  • unsubscribe me

  • stop sending texts

  • stop sending me texts

  • Stop the text, please!

  • Stop sending me text message! I have asked many times and you continue to send them to me!

  • Stop 🛑

  • STOP SENDING ME THESE TEXTS... I already ordered one and I don't want to keep getting texts from you

  • Please remove. Thanks.

  • Stop all texts to me!

  • Please delete me from your text list. Thanks so much!

  • Stop sending me text

  • Stop sending these, please!

  • Remove this number

  • Do not text

  • Remove my phone number

  • Stop all

  • Quit texting me you already ripped me off

  • Please remove my number from your system. Thank you!

Now, even if your SMS provider recognizes and flags opt-outs like the ones mentioned above, it is important to periodically review subscriber responses to screen for any opt-outs that made it past the automated screening. If you find any, you’ll need to opt them out manually.

Additionally, your SMS provider should make it easy for you to add opt-out language (e.g., “Reply STOP to unsubscribe”) to any campaign or automation. We encourage our users to make sure subscribers receive that language at least once per month.

3. Understanding how long codes and short codes apply to TCPA and CTIA

In general, the TCPA doesn’t have anything to do with short codes or long codes. The CTIA does (CTIA, which is the coalition of mobile carriers). Short codes and long codes must be registered with the CTIA, though typically tools like Postscript can do that for you. 

Registration takes only 24-48 hours, and you should be able to use your code in compliance with both the CTIA and TCPA immediately after it is registered.

Short codes are typically preferred to long codes, especially for larger brands—though they do come at a cost. Think of it as a marketing investment. Unlike full phone numbers (i.e., 10-digit toll free numbers), a short code is an easy-to-remember, five-to-six-digit number that texts are sent from—and that customers can use to text your brand. Short codes allow you to send both SMS and MMS.

At Postscript, we ensure that your customers will not receive any other marketing from other companies using our short codes (called cross talk). Cross talk can confuse customers and lead to bad customer experience.

To learn more about short codes and toll-free numbers—including their differences and the pros and cons of each—check out this resource.

Here is a bit of history on short codes from the CTIA

  • In the early 2000s, CTIA and other messaging ecosystem stakeholders developed the short code platform (i.e., five or six digit codes) to facilitate the appropriate use of bulk wireless messages. Short code messages enable wireless messaging campaigns that are vetted by wireless providers. The combination of upfront vetting with ongoing auditing means that short codes can enable high-volume messaging campaigns while minimizing the risk that short codes will be used to distribute unwanted messages. 

  • In 2009, building on the successful SMS and MMS inter-carrier interoperability initiative, CTIA and messaging stakeholders expanded the SMS Interoperability Guidelines to guide how non-mobile networks could exchange SMS message traffic with mobile wireless networks. 

  • In 2011, CTIA and the messaging stakeholders further expanded the SMS Interoperability Guidelines to include cloud-based services that use 10-digit NANP telephone numbers, and addressed unwanted message risks associated with this expanded ecosystem. 

  • In 2014, as the messaging ecosystem evolved, CTIA and messaging stakeholders also revised the SMS Interoperability Guidelines to account for group messaging and text-enabled toll-free telephone numbers. All of these efforts have been premised on the common goal of maintaining and enhancing a dynamic and competitive wireless messaging ecosystem, while limiting consumers’ exposure to unwanted messages. In pursuit of this goal and consistent with these Principles and Best Practices, messaging ecosystem stakeholders should promote the exchange of wanted messages among wireless consumers and enterprises, minimize risks to wireless consumers of receiving unwanted messages, and conduct fair dealing with each other, as well as comply with applicable laws and obligations.

4. Disclosing that message and data rates apply

According to the CTIA guidelines, you are required to let consumers know that data rates and carrier fees may apply to the texts they receive from your brand. This can be as simple as saying in your first text to consumers, “Msg & data rates may apply.” This verbiage should also appear in your compliant opt-in language.

5. Making sure you send at the appropriate time

The TCPA is in place for consumer protection. One really good way to make sure you don’t end up in court over your text messages is to simply not annoy the people who are signed up for it. One way to do that is no to send messages at inappropriate times. 

Remember, a lot of people keep their phones on loud in case of an emergency. So, if your audience is spread across time zones, and you send a message at 9 a.m. Eastern Time, you are hitting your California folks at 6 a.m. Not ideal. 

Again, the golden rule is the best way to think through all of this. Would you want to receive this message at this time? If the answer is no, don’t send it.

At Postscript, we observe the following widely accepted “waking hours,” during which brands can send SMS marketing messages:

  • Global campaign waking hours: 8:00 AM–11:00 PM Eastern

  • Global automation waking hours: 11:00 AM–9:00 PM EST

This is especially important now that we’re starting to see state-level regulations like those introduced in Florida. As we explain here, Florida has introduced strict limitations on quiet hours (i.e., hours when brands cannot text their subscribers) and message frequency. And as our legal team noted here, we expect to see more laws like Florida’s adopted in the coming months and years.

6. Sending relevant content

You’ve done a lot of work at this point to get consumers to subscribe to your SMS marketing campaigns, to make sure you are unsubscribing them whenever they want, and to send during acceptable times of day. Please, make sure that the content of what you are sending them is aligned with your brand, and adds value.

In other words, don’t send people spam just for the sake of being “top of mind.” Provide value. Wish them a happy birthday! Tell them about a new drop or a new influencer. Send them helpful content in line with your brand mission. 

Whatever you do, don’t send messages just for the sake of sending them.

7. Following SHAFT guidelines

SHAFT (Sex, Hate, Alcohol, Firearms, and Tobacco—CBD included) is a CTIA-enforced rule banning SMS content that includes:

  • Depictions or endorsements of violence

  • Adult or otherwise inappropriate content

  • Profanity

  • Hate/discriminatory speech

  • Endorsement of illegal or illicit drugs

SHAFT enforcement is incredibly strict, and as such, Postscript and other messaging platforms cannot support sends promoting or related to SHAFT-covered content areas. (Please note that there are now compliant avenues for brands selling alcohol to leverage SMS to promote their products; however, you must confirm with your SMS provider that you have satisfied all necessary compliance requirements before doing so.)

Generally speaking, to avoid having your brand’s messages and/or numbers blocked by carrier networks, you should ensure none of your SMS or MMS content violates SHAFT restrictions. For more information, refer to this resource.

8. Observing limitations on send frequency

As of June 2021, the carriers are enforcing limitations on the frequency of certain types of messages. Specifically, as we explain in greater detail here, all automations related to abandoned shopping carts and abandoned checkouts must be:

  • Limited to only one message per trigger event

  • Sent within 48 hours of the trigger event

9. Removing deactivated numbers from your list 

When a subscriber who opted in with a specific phone number is no longer using that number, any messages you send to the number are no longer compliant—because the new owner of the number has not given you their consent. So, when an individual terminates their cellular plan, gets a new phone number, or chooses to leave their current carrier for another—you need to remove them from your subscriber list.

Not doing so could lead to more spam complaints, which may prompt carriers to filter messages or take legal action. 

That’s a lot to keep track of yourself, but your SMS provider can help. With Postscript, deactivated numbers are automatically identified and removed from your list—usually within 24 hours of being marked deactivated.

We will also remove numbers anytime we receive notification from a carrier regarding a permanent deliverability issue—for example, if the number the subscriber provided is not valid or is connected to a landline.

How can tools and technology help businesses stay TCPA and CTIA compliant?

SMS marketing tools and technology can take away the majority of the heavy lifting of TCPA and CTIA compliance. Postscript, for instance, gives you a copy-and-paste terms and conditions excerpt sets up short codes and registers them, gives you a variety of options for collecting SMS numbers for your campaigns (including click to text, pop-ups and more), and helps you manage campaigns so that you send information at the right time. 

SMS marketing tools enable you to focus on only two things instead of everything that is listed out in this article:

  • How you collect the numbers

  • How you keep people subscribed 

This means you get to focus on the campaign strategy and creative. Then, you get to measure engagement and results, making tweaks as needed to grow your list and continue driving traffic—all without waking up in a cold sweat wondering if there’s a class action lawsuit coming your way. 

There won’t be when you use tools like Postscript, because compliance is handled for you. 

Of course, there is a bit of research you must do on your end. Many businesses, for instance, like to use Twilio for SMS marketing. Tools like Twilio, however, do not manage fuzzy opt-outs and other compliance factors. Yes, the tool allows you to easily send SMS marketing campaigns in an inexpensive way, but non-compliance fees could eventually shut your entire business down through bankruptcy.

TCPA and CTIA Guidelines and a Checklist for Ecommerce Marketers

Whether you choose to use a tool like Postscript that manages the majority of TCPA and CTIA compliance for you, or you decide to set up a system yourself with a service like Twilio, it is good to have a quick hit list of what you need to know. 

Hand this off to your marketer—or to your boss. Make sure your sales teams know about it, and have a script they can speak to to help get new folks signed up appropriately.

Here is what is required by the TCPA and CTIA of any brand looking to use SMS marketing campaigns: 

  • Get permission from your consumers to message them.

  • Acquire an individual’s explicit consent to receive messages for informational purposes via SMS.

  • Acquire an individual’s express written consent to receive promotional texts via SMS. Written permission may include electronic or digital forms of signature (such as a website form, text message, or email).

  • Maintain a record of each individual’s consent.

  • Remove deactivated or invalid numbers from your subscriber list on a regular basis.

  • Disclose useful information and opt-out instructions.

  • Offer the ability to revoke consent and opt-out at any time (e.g., using a STOP keyword).

  • Include opt-out language (i.e., “Reply STOP to unsubscribe) in your texts at least once per month for each subscriber.

  • Disclose that message and data rates may apply.

  • If you are asking people to subscribe to a recurring SMS text message campaign (such as a weekly or monthly updates), clearly explain the regularity of text messaging (i.e., “sign up for weekly updates”).

  • Message thoughtfully, carefully, and intelligently. Do not include content that involves illegal behavior or substances, violence, adult content such as nudity and profanity, or hate speech.

  • Message people between the hours of 8:00 AM–11:00 PM Eastern for campaigns and 11:00 AM–9:00 PM Eastern for automations (excluding Florida, which has its own rules)

  • Refrain from sending more than one abandoned cart or abandoned checkout automation per trigger event—and be sure to send within 48 hours of the event..

  • Be specific. Messaging “Text YES to ### subscribe to Pony Express HQ’s weekly update and receive deals” is more likely to increase your opt-in rate than a message like “Text YES to subscribe.”

Access premium content. Become an SMS expert.

Join over 10,000 other marketers who get weekly insights delivered directly to their inbox.

We are big fans of privacy. See our Privacy Policy for more information.

Ready to make SMS your #1 revenue channel?