The Ultimate SMS COMPLIANCE GUIDE

SMS Compliance Hero

For many brands in ecommerce, SMS is now a top marketing channel—if not the top marketing channel.. Running a successful SMS program requires more than just growing your subscriber list, sending fantastic texts, and ultimately maximizing your Subscriber LTV. Keeping your program compliant is essential for the long term success of your SMS program. 

Compliance rules and regulations exist to protect consumers. These rules exist to protect consumers and to preserve the longtime value of SMS as a marketing channel. Without rules and regulations, brands could send out a lot of spam and damage consumer’s willingness to sign up for texts and trust of the channel. 

These requirements fall into two categories: Legal requirements (TCPA & state specific) and industry requirements (carriers). Let’s take a closer look at the various governing bodies involved in SMS compliance. Each of these different governing bodies have their own rules and consequences (varying from your texts getting blocked to potential lawsuits.)

The Alphabet Soup of SMS Compliance
Jump to part 1
The Impact of Legal and Industry Specific Rules
Jump to part 2
Making Sure You’re Compliant Every Step of the Way
Jump to part 3
Finding The Right SMS Provider
Jump to part 4

Part 1: The Alphabet Soup of SMS Compliance

TCPA

The U.S. Congress passed the Telephone Consumer Protection Act (TCPA) in 1991. This amended the Communications Act of 1934 to address telephone marketing (which includes text message marketing sent from an automated system like Postscript). The Federal Communications Commission (FCC) is the organization that oversees violations of the regulations outlined in the TCPA. There have been updates to the TCPA since it was first passed, but at a high level for text message marketing brands need to be doing the following:

  • Obtain Consumer Consent: You must get consent from a consumer before messaging them. Marketing messages, like those sent from Postscript, require a higher level of consent known as prior express written consent which requires very specific language.

    • These rules apply to pop ups, checkout opt in, social media/email that let subscribers opt in, any package where a keyword or QR code that allows subscribers to opt in.

    • Note: While many SMS platforms build in the compliance language for opt in points through their system (like pop ups and landing pages). There are some opt in points will live outside of your SMS platform (social media, email, display of keywords and/or QR codes)

  • Support Opt-out Requests: You must make it easy for consumers to unsubscribe from receiving your texts, and you must honor their request to unsubscribe immediately. Postscript builds this feature into our platform. 

  • Honor Quiet Hours: The federal TCPA suggests that messages be sent only between 8am and 9pm (aka awaking hours). These hours vary by state (more on that in a bit).

It’s extremely important to make sure you have a clear opt in (ie: you are displaying the appropriate compliance language at every place you gather new SMS Subscribers). This means every time someone joined your program they were shown the compliance language w/ links to your privacy policy & terms of service prior to signing up. 

You should also have subscribers confirm their opt in (you’ve probably seen this in the wild when you are asked to reply to Y or enter a one-time passcode after you sign up for texts). Using double opt-in validates that a subscriber wanted to receive texts from your brand. From a TCPA point of view, if you don’t have double opt-in, person X can accidentally (or purposefully) enter in person Y’s phone number causing person Y to receive messages that they did not opt-in to, and they can then sue the shop for $500 to $1500 per message received. 

Aside from avoiding a potential what could turn into a multi million dollar lawsuit, double opt-in helps to keep your subscriber list clean by only sending to individuals that truly wanted to receive these messages. This saves your company money by removing subscribers that are far less likely to be engaged. 

State Level: FTSA, OTSA, etc

State level regulations not only add a lot of additional acronyms, but also increase the complexity of staying compliant by adding additional legal requirements that apply in certain states.

In July 2021, Florida was the first state to pass their own legislation that has been referred to as FTSA (Florida Telephone Solicitation Act). The FTSA is essentially just Florida’s state-specific version of the TCPA that regulates calls and text messages to Florida residents, with some additional restrictions and penalties for violations including:

  • Longer quiet hours (reducing waking hours to 8am to 8pm local time).

  • More restrictions on what messages are allowed during quiet hours.

  • Limit of 3 messages within 24 hours for a specific campaign or product.

Because Florida was the first state to have their own rules and residents had private right of action, most of the early SMS litigation has happened in Florida. The steps for filing an SMS related lawsuit changed in late May 2023 requiring consumers to first request to opt out and be unsubscribed within 15 days before a lawsuit can be filed. While this was a welcomed change by many SMS merchants, many other states have used the original FTSA as the blueprint for their own state level regulations.

With these FTSA changes in effect, the biggest challenge for brands sending texts to Florida is serial plaintiffs attempting to capitalize on a potential gap in the drafting of the Florida statute requiring all numbers be able to receive voice callbacks on the number sending the message (not all phone numbers support incoming calls which is why this particular piece of legislation has been under review).

Washington was the second state to pass their own legislation (Washington HB 1051, no fun acronyms here) that went into effect on June 9, 2022. This largely just reduced waking hours from 8am to 8pm PST. While Washington residents did not originally have private right of action, that was later added in an amendment. 

Oklahoma passed OTSA (Oklahoma Telephone Solicitation Act) went into effect on November 1, 2022. This bill was almost exactly the same as the regulations passed in Florida. In Oklahoma brands need to follow these additional restrictions:  

  • Longer quiet hours (reducing waking hours to 8am to 8pm local time)

  • Limit of 3 messages within a rolling 24 hour

Note: Oklahoma also has the same requirement on being able to call the number where a text message was sent from.

Connecticut is the latest state to add their own legislation (signed by their governor towards the end of June) and went into effect on October 1, 2023. 

  • Longer quiet hours (reducing waking hours to 8am to 8pm local time)

By the start of 2024, there are currently 2 more states adding their own mini-TCPA regulations.

New Jersey’s legislation is scheduled to go into effect in December 2023 (right in the middle of the holiday shopping season). This has 2 big requirements for brands sending texts to New Jersey residents. 

  • Longer quiet hours (reducing waking hours to 8am to 8pm local time)

  • Brands must include their mailing address in each message

Maryland’s legislation starts on January 1, 2024 with requirements that are similar to Oklahoma’s version of the FTSA. 

  • Longer quiet hours (reducing waking hours to 8am to 8pm local time)

  • Limit of 3 messages within a rolling 24 hour window

Note: Not all SMS platforms handle state level regulations the same. Postscript customers can rest easy knowing they have the tools and latest compliance updates to be sending texts compliantly.

You can learn more about these state level changes here.

CTIA & Carrier Rules/Best Practices

Originally known as the Cellular Telephone Communications Industry Association (then the Cellular Telecommunications and Internet Association before going with their initialism only), the CTIA is a trade association representing the wireless communications industry in the United States. The CTIA sets forth messaging principles and best practices enforced by the carriers. 

Additionally each carrier has their own code of conduct that outlines what they deem to be the best practices for the channel. This includes best practices that are enforced and others that are simply just a best practice. What is a hard rule vs a best practice for each carrier isn’t always clear (ie: not written but comes up during an audit) and often varies based on the type of phone being used by a business. Dedicated Short Codes (DSC) tend to have more hard rules, but brands that go through the application and audit for a DSC will have access to higher throughput (ie: your messages arrive faster during peak times) and are less likely to be filtered (ie: blocked by the carriers). To make things even more complicated,  what’s a “hard rule” vs “best practice” will vary from one carrier to another. 

When you think about trying to follow the industry requirements (CTIA & carriers), it’s best to account for all requirements including what might just be considered a best practice. These rules can be subjective and can change from best practice to hard rule without a lot of notice. Running an SMS program while trying to account for what is allowed on some carriers is not only time consuming but potentially problematic if you don’t get everything exactly correct.

Overview of the Main Carrier Compliance Requirements

  • Promote Compliantly: The CTIA requires specific disclosures be present on text messaging promotional materials (AKA calls-to-action) including access to your SMS terms of service and privacy policy. 

  • Collect Email and Phone Numbers Separately: Fields for collecting email addresses and phone numbers (for text messaging purposes) should be on separate screens or separated by a significant distance and with distinct consumer disclosures.

  • Include Your Organization Name in Messages: The mobile carriers require your name be included in every message. This requirement is built into the Postscript platform.

  • Send an Opt-In Confirmation: The first message you send to a consumer after they opt-in must be a confirmation of their opt-in (i.e. It must be a welcome message).This usually looks something like this: [Brand Name]: You’re subscribed! Reply STOP to unsubscribe, HELP for help. Msgs powered by Postscript.

  • Support Opt-out Requests: You must make it easy for consumers to unsubscribe from receiving your texts, and you must honor their request to unsubscribe immediately. (i.e. Text STOP to cancel).

  • Provide Customer Support Information: You must provide consumers with contact information for getting help with your text messaging program (i.e. Text HELP for help).

  • Limit Abandoned Cart Reminders: You must limit abandoned cart reminders to one per shopping cart event and send it within 48 hours of the event.

  • Avoid Prohibited Content (AKA SHAFT): The mobile carriers prohibit the inclusion of some types of content in your text messaging and in related content like your shop products. The primary types of prohibited content, collectively known as SHAFT are:

  • Sex*, Hate, Alcohol*, Firearms, Tobacco (including vape products and all forms of cannabis including CBD)

*With proper age gating, it’s possible to obtain carrier approval for alcohol and sexual wellness products. Keep in mind that sexual wellness spans from “health related” to sex which can be subjective and as a result some brands may need to use a dedicated short code. All brands will need to work with a trusted provider like Postscript in order to support certain subsections of SHAFT. 

Brands sending text messages in the United States will also need to make sure their phone number goes through carrier verification. The verification process will vary depending on if your brand is using a 10 digit long code (10DLC), Toll Free Number (TFN) or Dedicated Short Code (DSC). Some platforms like Postscript will handle this registration on your behalf while other platforms might require you to handle that on your own.

prohibited

TIP: Don't Get Filtered

Don’t Get Filtered: Unlike TCPA & state level regulations, brands that violate industry requirements (including hard rules, enforced best practices and best practices) are subject to filtering (ie: your messages are blocked and don’t reach the end consumer), additional message requirements such as including opt-out directions in all messages, and/or your phone number being shut down. If brand finds themselves getting blocked by any of the major 3 US carriers, they risk not being able to message at least 1/3 of their subscribers for 30 days or more.

In order to keep your program running as smoothly as possible, you’ll want to work with a provider that has accounted for the combination of hard rules, enforced best practices and best practices to make sure you aren’t paying money for texts that ultimately don’t reach your subscribers OR have your program shut down without warning. You’ll also want to make sure your provider has a close relationship with the carriers (look for an in house carrier relations team). 

Filtering can be a common issue as certain topics can be considered off limits by carriers. Carrier filters are intended to prevent unwanted, non-compliant, truly spammy messages from clogging up subscriber inboxes—but sometimes, those filters inadvertently block compliant messages from being delivered to those who opted into receiving them. If you find yourself in that situation, you’ll want a team ready to work through those issues in a timely fashion.

Part 2: The Impact of Legal and Industry Specific Rules

TCPA

TCPA, FTSA, OTSA, CTIA, Carriers - Go compliance! Once these are combined, you can picture Captain Compliance being summoned into action (to the tune of the Captain Planet theme song. Captain Compliance, he’s our hero, Gonna take spamming down to zero, He's our rules magnified, And he's fighting on the consumers’ side)

In the absence of clear federal standards (remember TCPA doesn’t cover everything), all of these laws, governing bodies and organizations are working towards “protecting consumers from bad actors”. What’s bad by one group’s standard isn’t bad by all standards, so even for brands with the best of intentions, staying compliant when there isn’t a clear consensus on the rules can definitely be overwhelming. While this isn’t everyone’s favorite task, it’s important in maintaining the long term value of SMS as a channel. 

Many SMS providers account for some aspects of these rules, but very few platforms are built with product guardrails in place to help prevent you from accidentally sending a text that could be non-compliant (even less have their own in house compliance team that will assist). 

Ultimately, the lack of consensus on the rules means not all subscribers have the same legal risk. 

Remaining compliant is ultimately the responsibility of the brand. Keep in mind, that law is “strict liability” so having the best intentions doesn’t get you off the hook… it’s black and white—you have it or you don’t.

Private Right of Action

In the case of SMS compliance, you’ll find private right of action at the state and federal level. 

  • Private refers to individuals. In the case of state laws, individuals are residents of the state where the law was passed. 

  • Right is what has been granted

  • Action refers to legal action

This basically means that a private plaintiff (aka an individual) has the right to bring a legal action based when they have been impacted by the law being broken. The standard for using private right of action on the federal is more involved (more expensive & more nuanced). 

When Florida passed the FTSA, it gave residents the ability to take legal action against companies when specific rules were violated. The unintended consequence is that it empowered serial plaintiffs and ambulance chaser like firms that specialize in SMS, opening the floodgate for demand letters and lawsuits.

Not every state that passes their own state level set of regulations will have a private right of action and it can be added later. Washington state, for example, originally passed their regulations without the ability for Washington residents to take legal action, but later amended the law to give that right. 

Additionally, when these laws are created there are often different sections and some sections will have private right of action, while others reserve the right to state enforcement.

joker

Tip: The High Risk Subscriber

When it comes to managing risk, you’ll want to be extra cautious when dealing with a high risk subscriber. If you haven’t heard the term before, a high risk subscriber is a resident of a state that has their own compliance laws and the heightened ability to take legal action against your company. Legal action can include sending demand letters (threatening a lawsuit) or  lawsuits served (without any demand letters or notice).

Getting a demand letter can be pretty scary (and so are lawsuits) if you can’t show that a subscriber compliantly opted in to receive texts. This includes having proof of “expressed written consent” along with the details of where they opted in. Subscribers can opt-in digitally and still have “expressed written consent”. So when a subscriber enters their phone number into a pop up (with the proper compliance language) and hits the submit button this meets the requirements for expressed written consent.

Part 3: Making Sure You’re Compliant Every Step of the Way

Demonstrating a Compliant User Journey

The majority of compliance related lawsuits come down to being able to demonstrate a compliant user journey. This boils down to the subscriber was shown the appropriate language (ie: they knew the terms of signing up for texts), opted in and have not requested to unsubscribe. 

There are 3 steps you will want to take in order to demonstrate that the user had compliantly opted-in. 

Step 1: The Opt-in Point. What did the user see when they opted in? Take a screenshot of these opt-in points and save them to a folder. 

3

Step 2: Messaging Records covering keywords, reply messages to show opt in confirmation.

Group 942

Step 3: Showing no record of opt out had been provided to the company.

Group 944

You need to hang onto these records for 5 years. Although this may sound tedious, it’s the best way you can prove your list of subscribers is fully compliant. Keeping these records as you grow your list is going to be a lot easier than going back and looking for this information later. 

Let’s say for example, you have a subscriber that signed up for texts via a social media post that says they received unwanted text messages. Here is what you’ll need to have and what you will need to get from your SMS platform.

  • You’ll need to have a record of the post to show that you gathered this subscriber compliantly (Screenshot of the post that includes the compliance language).

  • As long as the subscriber had opt-in into your SMS program, your SMS platform will have the messaging log (eg: keywords & confirmed opt-in) to show that the subscriber did in fact sign up for texts as well as the records to show that they never requested to opt out. 

Gathering Subscribers Compliantly

The steps you need to take when gathering subscribers will likely vary depending on where you are promoting your SMS program. Remember there are both legal & industry requirements that you need to follow when you are telling a potential subscriber about joining your program. 

For ecommerce merchants, most opt-in points that happen on your Shopify store will automatically have the correct compliance language that is added by your SMS platform. This includes pop-ups, landing pages and checkout. You should still audit these opt-in points during setup. 

This gets a bit more complicated when you are gathering subscribers off your website (in emails, social media, QR codes and marketing collateral that tells customers how to opt in via a keyword) because you will need to create and document a compliant user journey.

Here are a few things you’ll want to keep in mind if a potential subscriber can opt in directly from that marketing collateral: 

  • Disclosure must be in readable font - both in terms of size and color against the background;

  • Disclosure must be close to the CTA button - while an above the CTA button is not required, it is highly preferred;

  • Websites, landing pages, social media pages, checkout pages etc should not be cluttered or otherwise full of impertinent language in different font sizes and colors that might distract from the TCPA disclosure;

  • TCPA Disclosure should actually and clearly explain that by clicking the CTA button, the customer will actually be accepting the disclosure;

  • Disclosure must be apparent at the time the customer clicks the “submit” button and cannot pop up only before or after the CTA button is presented;

  • Hyperlinks must be obvious and underlined or capitalized;

  • Access to terms of service & privacy policy. Ideally you’ll want to have clickable links that open up your TOS and privacy policy, but in some cases you are limited to a single link (like an Instagram story) or it’s on printed material (like a QR code or billboard sign). In those cases, make sure you have the URL to those pages written out so a subscriber could navigate to those pages.

  • Opt-in to SMS and email should be separate (ie: on different pop up pages or separate forms). 

  • No pre-checked opt-in boxes. Customers have to choose to opt in and having a box pre-checked means that someone could sign up without their knowledge / expressed consent. 

Important Actions Every Brand Should Take

If you don’t already have a record of your on-site and off-site opt-ins, you’ll want to make sure you get both historical and current opt-ins documented. The goal here is to document the experience where a subscriber opted-in. 

If you are directing all of your opt-ins to a landing page on your site, then you’ll just need a record of that landing page. But if you used keywords or QR codes where a subscriber would have opted in by sending a text, you’ll need to capture the experience that includes where they saw the keyword, QR code, etc (including the compliance language).

When it comes to email, you’ll want to capture any emails that have a unique call to action to join your SMS list. Some brands will use a template in the footer of their email that is regularly included in emails, you’ll just want to capture any different versions of a footer opt-in (if it’s the same in all emails you only need to save it once).

warning

Tip: Caution: Danger Ahead

The most dangerous and challenging thing about a high risk subscriber is any subscriber could eventually have a heightened ability to take legal action against your company if their state adds their own legislation that includes private right of action. You won't always know who is “high risk” in advance given the constant changes with SMS compliance especially at the state level as more states add their own unique laws. The best way to be prepared is to assume any subscriber can become high risk and always keep records of their opt-ins so you can demonstrate a compliant user journey. 

When you switch from one platform to another, you’ll need to make sure you get this information BEFORE you no longer have access to your subscriber data.

Options for Handling Subscribers with Incomplete Documentation

If you have been doing SMS marketing for a while, you may find yourself in a situation where you’ve gathered a subscriber compliantly, but lack the documentation required to demonstrate a compliant user journey. This can be more common if you’ve switched providers more than once depending on how your subscriber data information was uploaded originally and if you still have a copy of the original upload or if you are referencing data from your most recent provider. 

For example, your original export of subscribers from your first platform should have details about the opt in source, but those details might not be easily re-exported if you don’t have the original file when you move from platform #2 to platform #3. Keep in mind, you’ll need exports from platform #2 to make sure that a subscriber didn’t out-out during the time you were using that platform. 

Holding on to your historical records (including subscriber opt-ins, opt-outs and screenshots of the sources from each provider) can help you maintain the required documentation in case you have a demand letter or lawsuit in the future. 

The industry best practice would be to remove any subscriber where you don’t have full documentation. If you don’t want to remove these subscribers, you’ll want to speak to your outside counsel to determine if your business wants to take on that risk. 

Part 4: Finding The Right SMS Provider

How your SMS Provider Can Help

When it comes to keeping your SMS program compliant, choosing the right provider can make a huge difference. At a minimum most platforms cover the basics such as making sure your pop ups have compliance language, support for quiet hours on automations, automatically unsubscribing someone who replies STOP, etc. 

Compliance first SMS providers go several steps further to make sure you have all the tools to keep your program running compliantly and reduce the burden on your team. This can come in the form of built in product guardrails and regular compliance updates, in house carrier relations team and a range of support managed by their in house compliance team. 

Here are the ways your vendor can help you stay compliant:

Compliance built into the platform

  • Quiet hours features for campaigns and automations

  • Tools to support state specific regulations (shorter quiet hours, message caps, etc)

  • Updates to compliance features as SMS compliance changes and new states add rules

  • Support for sending messages based on your subscriber’s time zone

  • Litigator Block list (removing numbers tied to know sms litigation)

  • Automatic removal subscribers who change carriers

  • Support for fuzzy opt-outs (removing a subscriber who says “stopp” instead of “stop”)

  • Forward incoming calls to your Toll Free Number to your desired customer contact number

In house compliance team

  • Support that lets you get answers to compliance related questions

  • Actively monitors changes to SMS compliance (federal, state, CTIA & carrier rules/best practices) 

  • Proactively monitors trends to identify potential risks and proactively assistance merchants

  • Reviews subscriber list uploads

  • Offers optional compliance audits/consultations 

  • Provides proactive support if your team receives a demand letter

In house carrier relations team 

  • Works directly with carriers if messages get filtered

  • Trusted provider status that can support some SHAFT sub verticals like alcohol and sexual wellness

Some providers (like Postscript) will even hold onto your historical subscriber data. So if you do have a demand letter or lawsuit involving a subscriber that you gathered on Postscript, you can always log back into your Postscript account (current customer or not) and identify the original opt-in source for a specific subscriber. You will need this information to help validate that a subscriber had compliant opted in your SMS program. Some providers will require you to contact them directly to get this information, while other providers don’t hold onto this historical information (and it will be on you to have saved this information).

A compliance first provider can take a lot of the heavy lifting off your shoulders. There will always be tasks your team needs to manage such as keeping proper documentation, sending opt-out reminders at least once a month (Stop to Stop), and including compliance language in opt-in sources not managed by your provider.

Don’t let this happen to you

Many brands find themselves caught off guard when something goes wrong. There is a misconception that only large companies get demand letters or face lawsuits for SMS compliance. 

Unfortunately, that couldn’t be further from the truth, Florida in particular was hit by a wave of demand letters and lawsuits after the original FTSA was passed These serial plaintiffs often use a “spray and pray” playbook; targeting as many brands of all sizes as possible in hopes that something stuck (they were able to get a merchant to settle after getting a demand letter). 

Here are a few examples of state level lawsuits & demand letters.

David’s Bridal
Plaintiff Cheri Aul found herself receiving text messages from David’s Bridal after she changed carriers and received a new phone number. She wasn’t a customer of David’s Bridal and went to their website to find out how to unsubscribe from receiving texts. She texted “STOP” every time she got another text from David’s Bridal. 

When the lawsuit was filed Aul, included screenshots of both the incoming messages and her replies to stop (which were sent to the number listed on the David’s Bridal website).

Davids-Bridal-Opt-Out

Image Source: Florida Pinellas County case 21-004589-CI

TLDR: David’s Bridal was sued for violating the FTSA in the state of Florida, specifically failure to: (i) honor repeated opt-out requests and (ii) monitor reassigned numbers (when a person gives up their number and it is given to a new person).

David’s Bridal did not automatically remove the plaintiff’s phone number from the list of subscribers when the previous owner of that number switched to another cell phone provider. Thus the plaintiff was receiving text messages someone else had opted in to but she had not requested.

David’s Bridal had two different short code numbers in usage (based on the screenshots submitted by the plaintiff). The David’s Bridal phone number on their website didn’t match the number the first set of messages came from.

Like many FTSA lawsuits this took well over a year to be resolved and ultimately David’s Bridal settled out of court for an undisclosed amount. 

We hope you never see one of these, but this is what a demand letter usually looks like. 

Sample-Demand-Letter

If you do get a demand letter, you’ll want to reach out to your provider (not all providers will offer guidance, but they will have your message records).

red-flag

Tip: Provider Red Flags

When it comes to staying compliant, it’s no surprise a compliance first provider can make your life a lot easier. When it comes to other providers, the challenges can be more than just a lack of features.

Look out for these red flags 

  • You aren’t able to easily export your subscriber data

  • Your subscriber data is hard to understand. You might need to reference this in the future, to show when someone opted in and the original opt-in source.

  • Your SMS provider won’t help you answer questions about your subscriber data (especially on being able to find that original opt-in source & when someone opted in)

  • Your SMS data and email data are mixed together and can’t be easily separated

  • Your provider lets you upload data without any sort of requirements (this can allow your list to have non compliant subscribers)

  • You don’t receive any updates on compliance changes (if you haven’t already heard about Florida, Washington, Oklahoma, and Connecticut you should have)

  • Anytime you ask compliance related questions, you are always told to talk to your outside counsel

If you have any of these challenges with your current provider, you should consider looking at alternative platforms that can better support you as the SMS compliance landscape continues to evolve. While no one can say for certain what will come next, most experts agree that compliance is only going to get more complicated over time.

How to Avoid This Happening To Your Brand

Getting a demand letter can be unnerving to say the least, and serial plaintiffs are hoping that brands will just settle rather than try to push back (“spray and pray” in action). Getting guidance on how to navigate these situations from your provider can make a big difference.

As more subscribers across a growing number of states have a heightened ability to take legal action against your company, there are several actions you can take to both stay compliant and be prepared for a subscriber to take legal action against your brand. 

  • Follow TCPA, State level, CTIA and carrier best practices

  • Keep records of your opt-ins (both screenshots of what the user journey looked like to show that everything including the proper compliance language was shown) and the logs to show that a subscriber opted in. You will need to hold onto these records for at least 5 years. 

    • When you switch providers, keep your original records of opt-ins, opt-outs and those screenshots. 

  • Always use double opt in for gathering new subscribers

  • Remember to include opt out directions in your texts at least once a month

  • Make sure your texts are only sent during waking hours (remember this varies by state)

  • Follow all state specific regulations beyond just shorter waking hours such as message caps for a rolling 24 hour window. 

  • Use a compliance first provider (see how your provider can help). 

    • Has an in-house compliance team that closely monitors changes in regulation and monitors for potential bad actors 

    • Offers product guardrails with updates as state regulations change

    • Automatically removes subscribers who change carriers

    • Supports forwarding your Toll Free Number to a designated contact number

    • Offers optional compliance audits/consultations

    • Compliance team can provide proactive assistance in case of demand letters or lawsuits.

Remember having proper records to demonstrate a compliant user journey is critical in handling both demand letters and lawsuits as plaintiffs may claim that they hadn’t opted into received texts (i.e. putting the burden on the brand to demonstrate proof of opt-in).   

Serial plaintiffs are hoping that brands will just settle rather than try to push back. Having proactive help from your provider and the right records make a big difference in how much time and money you’ll end up spending.

Part 4: Migrating to a Compliant-First Provider

At the end of the day, most merchants are looking to focus on running their ecommerce business and maximizing their Shopify orders (getting that endorphin kick from the “Cha Ching”). With SMS becoming the top revenue channel for an increasing number of Shopify brands, you don’t want to miss out on acquiring new marketing subscribers, driving that first sale and then continuing to deliver an amazing customer experience as first time buyers become repeat buyers. 

Running your SMS program compliantly is critical to your long term success, but it doesn’t have to be extremely tedious and involved. When you use a compliance first provider, like Postscript, you can spend a lot less time managing all the different aspects of compliance because it’s already built in. 

Not sure what to look for when selecting a new provider? You can use the list of ways your SMS vendor can help your program stay compliant and the list of red flags to help you decide on your next provider.  (If you aren’t currently using Postscript, our team would be happy to help answer questions as you look at your options)

Once you’ve decided on your new provider, here are the steps you’ll want to take while you still have access to your current SMS provider. 

  • Make a list of the ways you’ve grown your subscribers

  • Export a list of your current subscribers. Make sure this export includes the following: source of opt-in, opt-in date/timestamp, subscribed/unsubscribed status

  • Export a list of all unsubscribersSome platforms can have duplicate customer profiles which can run the risk of the opt in showing on profile and the opt out showing on a different profile. 

For each unique opt-in method take a screenshot that shows the user journey. You’ll want to make sure you can see where the customer entered their information including the compliance language OR the directions given on how to sign up via text including the compliance language. Make sure you have a screenshot for every opt-in source on your subscriber export.

A few other things to keep in mind while switching providers

  • Determine if you plan on keeping your existing phone number. If you are going to bring your number with you, it will need to be transferred. Your new provider may or may not help you with this process. 

  • If you are getting a new number, you’ll need to send a final message from your old number letting them know you are getting a new number. The final message on your old number should include:

    • Your shop name

    • Your new number

    • Opt-out information (e.g., Reply STOP to stop)

    • Message frequency disclosure

    • Disclosure notifying subscribers that message and data rates may apply

    • Other important details regarding transition (e.g., customer care contact information)

Here’s an example of what this message may look like:
{shop_name}: We’re getting a new number! [insert number here]. [insert potential marketing message]. As a reminder, reply STOP to stop, HELP for help. Msg & data rates may apply. Msgs are recurring.

We recommend sending this message a few days before you switch over to your new number.

Your first message on the new number should include

  • Your shop name

  • Opt-out information (e.g., Reply STOP to stop)

  • Customer care contact information (e.g., Reply HELP for help)

  • Message frequency disclosure

  • Disclosure notifying subscribers that message and data rates may apply

Here’s an example of what this message may look like:
{shop_name}: We have a new number! [insert your marketing message]. As a reminder, reply STOP to stop, HELP for help. Msg & data rates may apply. Msgs are recurring.

Once you’ve made the switch over to your new compliance first provider, don’t forget to take a moment to celebrate. Staying compliant in the face of constant regulation changes can feel overwhelming. Using a compliance first platform (like Postscript) can let you offload some of that stress and let you get back to making SMS your #1 revenue channel. 

Ready to make SMS your #1 revenue channel?