One FAQ to Rule Them All: 50 Tricky SMS Compliance Questions + Answers

There’s no reasonable doubt about it—SMS marketing compliance is confusing.

From the Telephone Consumer Protection Act (TCPA) to the Cellular Telecommunications Industry Association (CTIA)—not to mention different laws at the state level—keeping all the rules straight might seem like a tall order. And with all the jargon, ambiguity, and nuance, SMS compliance is anything but an open-and-shut case.

Questions are bound to pop up, and as the number-one SMS marketing platform for Shopify merchants, we here at Postscript have heard our fair share. Here are the most frequently asked ones, along with answers from our in-house SMS compliance experts. (Please note that the following information should not be taken as official legal advice. When in doubt, we always recommend consulting a legal or compliance professional who can assess all the details of your particular situation.)

• Opt-ins and Opt-outs

• Abandonment Automations

• Brand Name and Phone Number Changes

• SHAFT

• Quiet and Waking Hours

• Transactional versus Promotional Messaging

• Miscellaneous 

Confirmed opt-in (also known as double opt-in) allows brands to require that subscribers confirm their desire to opt into recurring SMS marketing messages by replying "Y" or entering a one-time passcode to an initial text message.

Using confirmed opt-in validates that a subscriber wanted to receive texts from your brand. From a TCPA point of view, if you don’t have double opt-in, person X can accidentally (or purposefully) enter in person Y’s phone number causing person Y to receive messages that they did not opt-in to, and they can then sue the shop for $500 to $1500 per message received. Aside from avoiding a potential what could turn into a multi million dollar lawsuit, confirmed opt-in helps to keep your subscriber list clean by only sending to individuals that truly wanted to receive these messages. This saves your company money by removing subscribers that are far less likely to be engaged.

The compliance disclosure language we recommend and use by default is as follows (“Terms of Service” and “Privacy Policy” should be linked to the appropriate pages/resources):

*By providing your phone number, you agree to receive recurring automated marketing text messages (e.g. cart reminders) from this shop and third parties acting on its behalf. Consent is not a condition to obtain goods or services. Msg & data rates may apply. Msg frequency varies. Reply HELP for help and STOP to cancel. You also agree to the Terms of Service and Privacy Policy.

Legally, this box cannot be pre-checked. The subscriber must manually check the box before opting in (in doing so, providing express consent).

Anywhere you’re asking people to opt in—including (but not limited to) onsite popups, social media pages, landing pages, checkout pages, and videos. (Note that TikTok has especially strict rules around using their platform to drive SMS opt-ins, so be sure to read this help article before attempting to use TikTok for list growth.)

To be fully TCPA compliant, the opt-in disclosure must be positioned close to the CTA button. There cannot be any large gaps or images separating the opt-in CTA from the compliance disclosure language, and you should also use an asterisk at the end of your CTA to indicate to the reader that there are relevant disclosures/consent language that they should read. 

Some tips to make your opt in disclosure is TCPA compliant:

• Disclosure must be in readable font - both in terms of size and color against the background;

• Disclosure must be close to the CTA button - while an above the CTA button is not required, it is preferred;

• Websites, landing pages, social media pages, check out pages etc should not be cluttered or otherwise full of impertinent language in different font sizes and colors that might distract from the TCPA disclosure;

• TCPA Disclosure should actually and clearly explain that by clicking the CTA button, the customer will actually be accepting the disclosure;

• Disclosure must be apparent at the time the customer clicks the “submit” button and cannot pop up only before or after the CTA button is presented;

• Hyperlinks must be obvious and underlined or capitalized (a different color helps too);

No., Legally, there’s no need to communicate the exact number of “recurring” messages a subscriber can expect to receive. We would, however, recommend setting expectations around message frequency, type, and content within your welcome series. If you build your welcome series using Postscript’s Flow Builder, you could even ask new subscribers how often they’d like to hear from you—and what type of message content they’d like to receive—and use their responses to segment accordingly.

Per carrier requirements, your SMS opt-in must stand alone with its own CTA and compliance disclosure language. One of the best ways to achieve this is to refresh the popup screen for each opt-in (phone and email). So if, for example, you lead with email collection, the popup screen would refresh to a new CTA for SMS opt-in after the subscriber submits their email address. Then, they would take a new submit action when providing their phone number.

If you’re adamant about having email collection and SMS collection on the same page or popup, then you must have separate consent (unchecked) checkboxes for each submission field (email and SMS), separate compliance disclosure language next to each, and the ability for the subscriber to submit the form with either field left blank.

We recommend using the QR code to direct potential subscribers to an opt-in landing page. That way, you can display the required compliance disclosure language there—alongside the full CTA to subscribe.

If you really, really want a two-tap opt-in via QR code, then you must print the full compliance disclosure language—and spell out the full URLs for the terms of service and privacy policy (e.g., shop.com/terms-of-service)—directly below the QR code. Additionally, for your own records, you’ll want to:

• Use a unique keyword for each promotion/product (beyond ensuring compliance, this will ensure accurate attribution data).

• Save images/final mock-ups of the compliance disclosure language used for the given “print” promotional materials (so you can always prove compliant language was used). 

TCPA consent or opt in cannot be obtained verbally over the phone. However, you can direct  callers to a compliant opt-in landing page (i.e., by providing them with the URL over the phone or letting them know there is an opt-in location in the footer of your website). That way, the full compliance disclosure language is present and a customer can then accept the terms on that landing page.

As long as there’s no way for the subscriber to opt in without going to the landing page that displays the compliance disclosure language, you don’t have to put the opt-in language in the email itself. That being said, if the body of the email incorporates a keyword CTA (e.g., “Text JOIN to 12345”), you must include the full compliance disclosure language directly next to that CTA in order to ensure the email is compliant.

This is not compliant unless an individual human is texting each contact one-to-one and each phone number is scrubbed against the National Do Not Call Registry. Informational messages sent from one individual to another are not covered by the TCPA, but all marketing messages are subject to the TCPA. But using a platform to mass-message the entire contact list would not be compliant without TCPA consent.

But even if another provider can compliantly text contacts human-to-human, it doesn’t mean you should let them. Not only is it a bad customer experience to receive a text requesting opt-in out of the blue, but you also cannot ever text someone again if they reply and ask not to be opted in. Generally speaking, subscribers gained through this type of cold outreach are lower-value than subscribers who opt in on their own accord.

There’s a lot of risk in this approach, as the messages sent to the old list asking them to re-subscribe would likely not be compliant (and thus, subject to potentially large lawsuit payouts). It is also the kind of red flag that could tip off plaintiff litigators, which could result in legal headaches if anyone were to pursue a lawsuit.

There’s a lot of legal and filtering risk in this approach, as the messages sent to the old list asking them to re-subscribe would not be compliant (and thus, subject to fines). If this is important to your brand, you should consult with a dedicated TCPA counsel to determine the best path forward.

We recommend starting fresh and building a new list that you know is fully compliant.

Note: There is often a fairly large overlap between poorly gathered subscribers and subscribers that don’t tend to convert into paid customers. Those that explicitly opt-in are far more likely to engage with the messages/shop and merit outreach. 

No. For an opt-in consent to be valid, it must be provided explicitly by the individual who will be receiving the messages. The individual opting in must see the disclosure opt-in language and be the one consenting to receive the messages.

Unless you include the full required compliance disclosure language in the post, we’d recommend instead sharing a link to your compliant opt-in landing page. This is a much more airtight approach as far as compliance is concerned. (Check out this article to learn how to create an opt-in link.)

No, not if all brands are looking to add those opt-ins to their SMS subscriber list. While you could use the same landing page, there must be separate opt-in points (e.g., different forms on the same page), and each brand must collect separate, explicit consent from each subscriber.

No. The owners of those numbers did not compliantly opt into receiving messages from your brand, specifically. So, you cannot send them marketing texts.

Yes, but you will need to include the required compliance disclosure language alongside the phone number collection point. You’ll also need to add wording to the CTA clarifying that when someone submits their phone number, they will be subscribed to your brand’s SMS marketing in addition to being entered into the giveaway. For example: “Enter your phone number below to be entered to win a Valentine’s Day gift basket and join our SMS club.”

Yes, but here’s how we’d recommend ensuring compliance (alternatively, you could advertise the URL for your opt-in landing page so you don’t have to worry about these requirements):

1. When you say the opt-in CTA (e.g., "Text KEYWORD to 12345…”), you must also make it clear that doing so will subscribe the person to recurring marketing messages.

2. You must include the full opt in disclaimer language (with spelled-out URLs for Terms of Service and Privacy Policy pages) in the banner or overlay.

3. The compliance disclosure language must be clearly legible on the screen.

4. The opt-in language must be displayed on screen for at least 20 seconds, and it must be visible during the entirety of the verbal CTA to opt-in.

5. You must read the consent language verbatim out loud.

6. You must maintain a recording of the video for at least five years.

No for brands in the US. While you don’t need to include opt-out language on every message, carriers do require that you include it at least once per month, per subscriber.

Each country will have different carriers and thus the rules will vary from one country to another.

While it may not be strictly required from a legal standpoint, carriers do look for a clear and repeated notification to customers that they can reply STOP to opt out at any time. Therefore, we strongly recommend including this language in your first message to every subscriber. If you want to further explore the limits of these requirements, we recommend reaching out to specialized TCPA/compliance counsel.

Per carriers, you can only send one abandoned shopping cart message per abandoned cart event, and it must be sent within 48 hours of the event.

The same rules that apply to abandoned cart messages also apply to browse abandonment messages. Furthermore, we advise against sending both an abandoned cart message and a browse abandonment message within the same 48-hour period.

Yes. The follow-up text would be triggered by a separate action than the cart abandonment event, so it would be compliant to send—even within the first 48 hours after the cart abandonment.

If this is a simple rebrand (i.e., you’re selling the same products and only the name of the shop has changed), then there’s no need to complete the opt-in process again. We would, however, recommend that you include a mention of the brand name change in the next message you send so your subscribers are aware of the switch. If the products are changing in tandem with the name change, then you will need to get new opt-ins.

When migrating from one number to another, the CTIA has specific requirements for the last message sent from your previous phone number and the first message sent from your new number. (Note: As a best practice, we also recommend sending a contact card in your first message from the new number. Learn more about why this is so important here.)

Furthermore, if your number is changing as a result of switching from a previous SMS provider to Postscript, make sure that no additional messages are sent from your old number/provider once you send your first message out of Postscript. In other words, make sure your old account and number on your previous platform are totally inactive.

CTIA requirements depend on what type of number your shop is migrating from, and what type you’re migrating to. Here’s the rundown:

TFN to DSC

If you’re migrating from a dedicated TFN to a DSC (with a TFN as a backup):

• Send a final message with your new number to only US subscribers. Let them know what the new dedicated short code number is and make clear that this is the number you’ll be texting them from going forward. Include the “STOP to STOP, HELP for HELP, and Data & Msg rates may apply” verbiage in this message.

• Do not send new number messaging to your Canadian subscribers, as they will still be receiving messages from the TFN.

DSC to TFN

If you’re migrating from a DSC to a TFN:

• Send a final message with your new number to only US subscribers. Let them know what the new TFN is and make clear that this is the number you’ll be texting from going forward. Include the “STOP to STOP, HELP for HELP, and Data & Msg rates may apply” verbiage in this message.

TFN/10DLC to TFN

If you’re migrating from a TFN or 10DLC to a new TFN: 

• Inform customers that their opt-outs/messages to the old number will no longer be reaching your shop. (While not required, this is a best practice.)

• Make sure your first message on the new number notifies subscribers that your shop has changed numbers.

• Use this sample language if you’re migrating from one TFN to another: [shop]: We're Changing Our Number! This Number Will No Longer Receive Your Responses. If You Have Questions, Email [shop email]. Reply STOP to stop.

DSC to DSC

If you’re migrating from an old DSC to a new DSC:

• Send a final message with your new number to only US subscribers. Let them know what the new dedicated short code number is and make clear that this is the number you’ll be texting from going forward.

• Make sure your first message on the new number notifies subscribers that your shop has changed numbers. (If you’re concerned about unsubscribes, you can include a promotion in the new number message.)

• Refer to Section A. 10. 1 in the CTIA Short Code Monitoring Handbook for more information on changing short codes.

The final message on your old number should include:

• Your shop name

• Your new number

• Opt-out information (e.g., Reply STOP to stop)

• Message frequency disclosure

• Disclosure notifying subscribers that message and data rates may apply 

• Other important details regarding transition (e.g., customer care contact information)

Here’s an example of what this message may look like:

{shop_name}: We’re getting a new number! [insert number here]. [insert potential marketing message]. As a reminder, reply STOP to stop, HELP for help. Msg & data rates may apply. Msgs are recurring.

We recommend sending this message a few days before you switch over to your new number.

Your first message on the new number should include:

• Your shop name

• Opt-out information (e.g., Reply STOP to stop)

• Customer care contact information (e.g., Reply HELP for help)

• Message frequency disclosure

• Disclosure notifying subscribers that message and data rates may apply 

Here’s an example of what this message may look like: 

{shop_name}: We have a new number! [insert your marketing message]. As a reminder, reply STOP to stop, HELP for help. Msg & data rates may apply. Msgs are recurring.

When crafting messaging around a transition to a TFN, we highly recommend placing the new number language first—and any accompanying copy after that. (If the message is notifying subscribers of the switch to a new DSC, you are required to include the new number messaging first, but it is a best practice regardless of number type.)

We highly recommend sending the new number campaign within 24 hours of going live with your new number. Additionally, we strongly recommend sending a contact card in your first message from the new number. Learn more about why this is so important here. 

No. Any links provided to subscribers must go to the site (or social accounts/other “owned” pages) that owns the phone number. However, you could promote the new brand on a page on your current website and send subscribers there.

No. You cannot use one brand’s subscriber list to send texts from a different brand—even if you own both of them. However, you can send an email from your current brand with a link to a landing page where recipients can opt into your new brand’s SMS list.

This can create a poor customer experience, and the logistics of making it work are complicated. Therefore, we do not recommend it.

Keep in mind that there is no definitive list because carriers do not publicly share their methods for flagging SHAFT content. That being said, we’ve identified the following potential SHAFT (Sex, Hate, Alcohol, Firearms, or Tobacco [CBD included]) trigger words that brands should avoid including in their text messages:

Sex

• Aroused

• Arousal 

• Pussy

• Sextoy

• Dildo

• Sensual

• Sexual

• Orgasm

Alcohol

• Booze

• Brewery

• Whiskey

• Vodka

• Tequila 

Firearms

• Ammunition

• Rifle

• Handgun

Tobacco

• Tobacco

• Cigarette 

Drugs

• CBD

• Marijuana

• Cannabis

• Hemp

• Weed

• Kush

• Hashish 

• Ganja

• Caliva

• Sativa

• Canna

• Vape

• Bong 

Other Potential Flags

• Prank

• Watch Now

Keep in mind that curse words could also trigger filtering, as any content that is “unsuitable for a general audience” is covered by SHAFT.

There’s a lot of nuance to this. For example, a shop that sells holsters—but not firearms—can technically use SMS to market their products. However, there is a risk that the brand could be flagged or blocked by carriers anyway—especially if the brand’s messages contain words like “gun,” “pistol,” “rifle,” etc. To avoid being flagged by carriers, we recommend being extremely careful of your wording and removing any terms that might indicate a direct SHAFT violation.

While alcohol is still a heavily regulated category for text marketing, Postscript has partnered directly with carriers to develop a compliant cross-carrier solution that provides in-thread evidence of a consumer's age. This change drastically improves message deliverability, allowing alcohol brands to confidently send marketing messages to their subscribers. We are a carrier-trusted provider for supporting in-thread age verification, which is key to our ability to support alcohol brands. For more details, check out this blog post.

Yes, as long as you aren’t promoting heavy drinking/alcoholism—and your message is fairly “PG”—then you should be fine. (That being said, Postscript now supports brands that sell alcohol products as long as they meet very specific compliance requirements. Learn more here.)

Yes. Similar to the answer above, as long as you aren’t promoting heavy drinking/alcoholism— and your message is fairly “PG”—then you should be fine. (That being said, Postscript now supports brands that sell alcohol products as long as they meet very specific compliance requirements. Learn more here.)

“Quiet hours” are times of the day in which you should avoid sending text messages to subscribers (e.g., early in the morning or late at night, when most folks are sleeping).

In addition to creating a bad customer experience, messages sent during these hours often lead to higher unsubscribe rates and a greater likelihood of customer complaints and spam reporting. 

Furthermore, there are federal and state regulations that explicitly outline quiet hours in which promotional text messages should not be sent to subscribers residing in various locations. TCPA and FCC guidance prohibits from sending text messages before 8:00 AM and after 9:00 PM in the recipient’s local time zone, and many states (including Florida, Washington, and Oklahoma with Maryland, New Jersey and Connecticut in the next several months) have laws that are more restrictive than than federal TCPA in regards to call/text time restrictions laws in the recipient’s local time zone. 

Our global campaign waking hours are:

• 8:00 AM–11:00 PM EST in the US/CAN (excluding Florida, Washington, and Oklahoma)

• 8:00 AM–8:00 PM local time for Florida, Washington, and Oklahoma

Our global automation waking hours are:

• 11:00 AM–9:00 PM EST in the US/CAN (excluding Florida, Washington, and Oklahoma)

• 8:00 AM–8:00 PM local time for Florida, Washington, and Oklahoma

Note: Postscript will be updating campaign & automation waking hours for Maryland, New Jersey and Connecticut prior to their new regulations going into effect. 

Campaigns are manually scheduled by merchants, who are encouraged to send during the optimal compliance hours with consideration for each US time zone. Automations, on the other hand, fire automatically regardless of subscriber time zone—so we use a more conservative nationwide waking hours window to ensure compliance.

Penalties for sending text messages during quiet hours can include unhappy subscribers, higher unsubscribe rates, filtering by carriers, spam reports from customers, lawsuits, and financial penalties.

While TCPA class-action lawsuits are unlikely due to a carveout of the law suggesting that these quiet hours do not apply to individuals who have compliantly opted into receiving recurring SMS marketing, the penalties for several states, including Connecticut, Florida, Maryland, New Jersey, Washington, and Oklahoma quiet hour violations on can be significant:

Connecticut: Fines up to $20,000 per violation.

Maryland: $1,000 ($5,000 for each subsequent offense) or one-year imprisonment, or both

New Jersey: civil penalty of up to $10,000 or $30,000 if the person contacted is age 60 or older

Florida: Fines up to $10,000, payment of the Department of Agriculture and Consumer Services attorney’s fees and costs, and criminal conviction for a third degree felony. 

Washington: Fines up to $100 per violation, actions by the Washington attorney general, and a private right of action for consumers.

Oklahoma: Fines up to $500 per violation. 

The SMS marketing regulatory landscape is quickly evolving, and we expect more states to eventually match or even exceed the legal penalties introduced in Connecticut, Maryland, New Jersey, Florida, Washington, and Oklahoma.

There is a carveout of the federal law suggesting that quiet hours do not apply to individuals who have compliantly opted into receiving recurring SMS marketing. Thus, quiet hours may be considered a best practice or a conservative legal approach—rather than a strict TCPA requirement (state laws aside). In establishing our quiet hours, Postscript considered subscriber experience (relating to unsubscribe rates, spam complaints, and filtering) along with state and national laws and regulations.

On the federal level, Quiet hours don’t apply to manual, one-on-one, human-to-human responses as long as the responses don’t have marketing context.

Transactional messages are order-related, non-marketing text messages from your brand (e.g., shipping and delivery notifications). When someone opts into receiving transactional messages only, they do not agree to receive marketing messaging. So, you cannot send any messages that promote your brand or products. For more details on transactional versus promotional messaging, check out this help article.

No. These messages are time sensitive, so there are no time restrictions on when they can be sent. (Otherwise, someone might receive a delivery notification several hours after an order was actually delivered, which defeats the purpose of the text.)

We would advise against it, as there would be a high filtering risk since the domain does not match the shop domain—making the link appear fraudulent. An alternative would be crafting the message such that it encourages the subscriber to search for your shop on Amazon, rather than linking directly to it.

Yes, but to fully protect your brand, you should get a signed release from the customer before using any of the content (photos, videos, etc.) in your broader marketing materials. We recommend that you check with your legal counsel on the right form of release for your needs.

As long as the page is clearly associated with your brand, this should be okay—though there’s always a risk of filtering. To reduce your chances of being filtered by carriers, we’d recommend against using shortened URLs that “hide” your shop’s name.

First, you’ll need to ensure your opt-in forms are designed with ADA compliance in mind and that they follow WCAG 2.0 AA guidelines (Postscript’s default forms meet both of these standards). 

This includes but is not limited to:

• The buttons to open the opt-in popup, and all controls within the popup, are keyboard navigable and consumable regardless of device.

• The popup is immediately focused when it opens, and you cannot tab out of the popup while it's open.

• Labeling attributes ensure the popup content reads cleanly on screen.

• The text has a contrast ratio of 4.5:1 or greater.

• Sentences and words are easy to understand and the meaning of any written content is easy to interpret.

• Markup language (HTML, for example) is structured in a way that is easily processed by assistive technologies. This includes complete start and end tags, unique IDs, and no duplicate attributes.

Yes, we do store the data collected on our platform, specifically. We use industry-standard technical, administrative, and physical security measures to protect that information, taking into account the type of the subscriber data.

The CTIA and certain state regulations require the sender to be identified in each message, so it’s an industry standard imposed by the carriers. If you do not include your shop name in a message, you risk being flagged and suffering deliverability consequences as well as exposing yourself to state telemarketing lawsuits. It also helps ensure that you’re providing the best possible consumer experience by making sure subscribers know who the message is coming from. 

We strongly advise against it. The opt-in consent that your shop receives from subscribers in connection with receiving their number is fairly limited in scope, giving you a limited right to use the number in connection with automated marketing text messages only. This limited scope is driven by TCPA and carrier rules that require very explicit consents from customers.

When a customer opt-in to receive SMS marketing, it’s important that they are able to clearly understand what to expect from being a subscriber. Not only is this a compliance requirement, it’s part of being transparent with your customers. Given that compliance in SMS changes and will continue to change in the future, we recommend that brands use our dynamic hosted terms of service and privacy policy. This makes setting up your terms and privacy policies worry-free and hassle-free, so you can focus more of your time and energy on improving your SMS strategy and your Subscriber LTV, while the Postscript compliance team takes care of watching for required changes and updating your terms automatically. You can learn more about dynamic hosted terms of service & privacy policy here.

The Telephone Consumer Protection Act (TCPA) is federal law that applies to all states. The TCPA regulation boils down to the following statement: Consumers have the right not to receive unsolicited marketing communications via SMS, and companies should not send consumers automated SMS marketing text messages unless they have obtained a consumer’s prior express written consent. Fines for TCPA violations can be $500-$1500 per message sent.

The FTSA is essentially just Florida’s state-specific version of the TCPA that regulates calls and text messages to Florida residents, with some additional restrictions and penalties for violations including:

• Longer quiet hours (reducing waking hours to 8am to 8pm local time)

• More restrictions on what messages are allowed during quiet hours

• Limit of 3 messages within 24 hours for a specific campaign or product.

The biggest challenge for brands sending texts to Florida is serial plaintiffs attempting to capitalize on a potential gap in the drafting of the Florida statute requiring all numbers be able to receive voice callbacks on the number sending the message. Not all phone numbers support incoming calls which is why this particular piece of legislation has been under review.

You can learn more about how Postscript automatically handles FTSA requirements here including supporting the ability to forward incoming calls to your toll free number to the phone number designated inside your admin control panel. 

The TLDR is that the OTSA is Oklahoma’s version of what Florida did, including shorter quiet hours and a limit of 3 messages within a rolling 24 hour window. While Florida has seen recent changes to how and when lawsuits can be filed, the first lawsuits have been filled in Oklahoma. 

To further complicate matters, Connecticut, Maryland & New Jersey have also amended their telemarketing regulations to be more restrictive than the TCPA.  All three will be in effect within the next 6 months. Connecticut is the most recent state (late June) to sign their legislation into law with it going into effect on October 1, 2023. Maryland & New Jersey are happening towards the tail end of 2023 (Maryland on January 1, 2024 and New Jersey on December 1, 2023). You can read more about the changes to Florida, Connecticut, Maryland, and New Jersey here.

It is also important to recognize that almost each state has its own telemarketing statute – some can be more restrictive than the TCPA, while some have the same restrictions as the TCPA.

Phew, that was a lot of compliance for one blog post—but we sure covered a lot of ground. Still have a question? Get in touch! Not on the best SMS platform for revenue and compliance? Request a demo here.