How to Build Compliant Text Message Marketing Campaigns in the U.S.

Many organizations use text messages to communicate directly with customers because these channels deliver messages straight to recipients’ devices. Their immediacy and personal nature make them an important consideration for any communication strategy, requiring careful attention to how they are implemented.

Compliance with U.S. text message marketing (commonly referred to as “SMS marketing”) rules requires more than merely obtaining consent—organizations must reconcile the requirements of federal and state laws as well as carrier‑driven standards. This article outlines the U.S. legal framework governing text message marketing and lists key practices that help minimize legal exposure while maximizing trust.

What is Text Message Marketing?

Text message marketing refers to the use of text messages—including SMS (Short Message Service), MMS (Multimedia Message Service), RCS (Rich Communication Service), and other similar mobile messaging technologies—to promote products, services, and brands to consumers’ mobile phones. Not all text messages are marketing messages; some are informational or transactional. Because legal obligations vary by message type, organizations should classify messages by purpose and content before determining the applicable requirements.

U.S. Legal Framework

At the federal level, text message marketing is governed by the Telephone Consumer Protection Act (TCPA) and, to a limited extent, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM). These laws are clarified by regulations and guidance issued by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC), and have been further shaped by agency orders and courts’ interpretations. These statutes regulate unsolicited commercial communications and, in certain circumstances, require consent before sending promotional text messages. In addition, various state telemarketing laws may impose stricter or supplemental requirements.

TCPA 

Enacted in 1991 to address unsolicited marketing calls, telemarketing calls, and certain automated communications, the TCPA has been interpreted by the FCC and courts to apply to text messages sent to mobile phones. The statute restricts marketing calls or texts made using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice, and generally requires the recipient’s prior express written consent for such calls or texts. The TCPA and FCC rules also impose separate requirements relating to do-not-call lists, opt-out processing, and time-of-day restrictions. 

In Facebook v. Duguid, the U.S. Supreme Court clarified that an ATDS is equipment that uses a random or sequential number generator to store or produce telephone numbers to be called. Systems that merely send messages to numbers from a pre-existing or curated list typically do not meet this definition. As a result, the TCPA’s prior express written consent requirement is generally triggered only where marketing texts are sent using equipment that qualifies as an ATDS or involve an artificial or prerecorded voice, though other federal and state requirements may still apply to promotional text messages sent without such technology. 

The TCPA presents significant class action risk for telemarketing organizations. The statute gives consumers a private right of action for violations, with statutory damages up to $500 per text and up to $1,500 per text for willful violations.

CAN-SPAM

Though originally enacted to regulate promotional email, the CAN‑SPAM Act can also apply to certain text messages sent to wireless devices through internet-to-phone email gateways (e.g., messages sent or forwarded to [email protected]). The statute applies to “commercial electronic mail messages” whose primary purpose is advertisement or promotion. CAN-SPAM does not replace TCPA consent requirements but adds another layer of obligation, primarily focused on message content and consumer choice, requiring promotional messages to be clearly identifiable as ads, and to include an easy opt‑out mechanism and a physical postal address.

Although not subject to class action suits, each non‑compliant message can trigger civil penalties of up to approximately $53,000 under CAN-SPAM, creating substantial liability for businesses operating campaigns at scale.

Industry-Specific Guidelines

Text message marketing is also shaped by industry-specific guidance from the Cellular Telecommunications Industry Association (CTIA). Though not binding law, CTIA rules are agreed to and enforced by mobile carriers through policies and contractual obligations, making them the de facto industry standard. Carriers actively monitor messaging traffic and may filter out text messages that are non-compliant with CTIA rules.

Compliance Checklist for Companies Using Text Message Marketing

The legal and regulatory framework governing text message marketing is multi-layered. In practice, compliance turns not only on what messages are sent, but how they are sent, to whom, and under what consent structure.

The checklist below translates these requirements into operational steps. The applicability of each item will depend on the nature of the message (marketing vs. informational), the technology used, and the jurisdictions involved. Not every obligation applies in every circumstance, but each should be evaluated when designing or auditing a text message campaign.

1. Determine When Written Consent Is Required for Promotional Texts

Consumer consent is an essential compliance component under the TCPA and should be a primary focus. Organizations must obtain appropriate consent from the recipient before sending promotional text messages, and must collect consumers’ prior express written consent where required under the TCPA and applicable do-not-call rules, before sending any (1) promotional texts using ATDS or artificial/prerecorded voice technology, or (2) promotional texts (including those sent without an ATDS) to numbers on the National Do Not Call (DNC) Registry or the organization’s internal DNC list, unless one of the limited exceptions apply. In addition to the TCPA, organizations should keep in mind that state telemarketing laws and carrier/industry requirements may also impose consent or other obligations on promotional text messages, even where the TCPA’s written‑consent triggers are not met. 

To be TCPA-compliant, an invitation to opt in (also called “call-to-action”) must:

  • Be in writing (including digital/electronic signatures); 
  • Clearly authorize the sender to deliver marketing texts; 
  • Identify the phone number at which messages will be received; 
  • Disclose that consent is not a purchase condition; 
  • Be documented and stored.

In addition, the CTIA’s Messaging Principles and Best Practices expect the call-to-action to include:

  • The program or product description; 
  • A link to the terms and conditions, the privacy policy, and customer care contact information; 
  • The identity of the organization sending the messages; 
  • The telephone number or short code from which messaging will originate; 
  • A disclosure about applicable data rates; 
  • Clear opt-out instructions; 
  • Message frequency disclosure.

Admissible ways to collect valid prior express written consent include:

  • Checkboxes (which cannot be pre-ticked) explicitly authorizing text message marketing; 
  • Point-of-sale or mobile app opt-in screens; 
  • Confirmatory buttons in online or paper forms—for example, a button such as “I Agree” next to a disclaimer stating that the consumer is subscribing to receive text messages from the organization upon submission of the form;  
  • Keyword responses—i.e. sending a text containing a short keyword, such as “JOIN” or “SUBSCRIBE”.

For recurring text messages, the CTIA requires sending a confirmation message immediately after opt-in. Double opt-in—requiring the recipient to re-confirm their consent by sending a keyword—is not formally required but is recommended. The confirmation message should contain the program or product description, customer care instructions, opt-out instructions, the frequency of the messaging, and disclosure about fees and how they will be charged.

Bear in mind that in TCPA litigation, disputes often center not only on whether the consumer provided consent, but whether the organization exceeded the scope of that consent. For example, if a text program promises no more than one message per month but sends more, it exposes the sender to liability. For this reason, it is important that consent language is drafted to reflect the actual purposes and anticipated messaging practices of the marketing program.

2. Collect Appropriate Consent for Informational Texts

Informational or transactional messages provide non‑marketing information without promoting a product or a commercial offer. Examples include order confirmations, bank or credit‑card alerts, airline notifications, shipment tracking, or wireless‑usage notifications sent by mobile carriers. Where prior express consent is required under applicable law for those types of messages (such as when an ATDS is used), consent can be given orally or even be implied, for example by the consumer simply providing their phone number in a form. Dual-purpose texts, i.e. conveying both an informational and promotional message, may be treated as promotional text messages depending on their primary purpose and may require written consent if their primary purpose is advertising or telemarketing.

3. Respect Content Requirements in Your Text Messages

Compliant message design minimizes legal risk and consumer complaints. When CAN-SPAM applies, header information (“From,” “To,” “Reply-To,” and the originating domain name) must correctly identify the organization doing the marketing and include its physical postal address when the message qualifies as a commercial electronic mail message when transmitted as an email, including via internet‑to‑phone email gateways. The subject line must accurately reflect the content of the message, and the message must disclose clearly that it is an advertisement unless the recipient has provided prior affirmative consent.  

Importantly, the message must include an option to opt out of receiving future communications from the sending organization. A standard best practice is allowing consumers to respond to a promotional text message with the words “stop,” “quit,” “end,” “opt out,” or “unsubscribe.” Small variations in a consumer’s opt‑out message—like capitalization or punctuation—should not affect its validity. If the revoking text uses words other than those listed in FCC guidance, the opt-out must still be valid if a reasonable person would understand those words as conveying revocation of consent.

In addition, message senders should actively prevent content that is unlawful, harmful, deceptive, harassing, or privacy‑invasive; and must refrain from sending messages containing threats, malware, or incitement to harm in accordance with applicable law and carrier policies.

4. Respect Quiet Hours

The TCPA and the FCC’s implementing rules prohibit telephone solicitations, including marketing text messages, from being sent to consumers during “quiet hours,” meaning before 8:00 a.m. and after 9:00 p.m. in the recipient’s local time zone. For nationwide text campaigns, it is essential to account for time‑zone differences—for example, a message sent at 9:00 a.m. Eastern Time would still fall within quiet hours for recipients located on the West Coast. Federal law does not impose frequency limits for sending text messages, though some states do impose frequency and stricter hour‑of‑day restrictions. A best practice is to apply reasonable frequency limits to avoid overwhelming recipients.

5. Keep Up-To-Date Internal Records

If litigation or enforcement arises, the organization engaging in the campaign bears the burden of demonstrating that it obtained valid consent. The CTIA’s Messaging Principles and Best Practices require maintaining timestamped records of consent acquisition, its medium (e.g., a web form, SMS opt‑in, or paper form), technical data such as the IP address used to grant consent (where applicable), the consumer’s phone number for which consent was granted, the consumer’s identity, the exact consent language, and the specific text message campaign for which the opt-in was provided. 

Opt-out requests must also be recorded in an internal DNC list, and a written policy on DNC procedures must be implemented. Companies must provide training for personnel on the use of the DNC list. The DNC list must be up-to-date, and procedures should address reassigned or newly obtained phone numbers, which may require obtaining new consent from the current subscriber.

Reasonable technical, physical, and administrative security measures should be in place to protect recorded consumer data. Finally, a clear and accessible privacy policy should be maintained.

6. Regularly Screen Data Against the DNC Registry and the Reassigned Numbers Database

Organizations engaging in telemarketing must have procedures in place to avoid calling or sending marketing text messages to numbers on the DNC Registry. Their contacts lists must be screened against the DNC Registry at least every 31 days, and their internal DNC lists must be updated accordingly.  

When a consumer changes wireless numbers, prior consent from the former subscriber or customary user no longer covers calls or texts to that reassigned number. The Reassigned Numbers Database (RND) allows organizations to check whether a number has been permanently disconnected or reassigned, and should also be consulted on a regular basis.

7. Honor Opt-Out Requests Promptly

Every marketing message must provide simple instructions for the recipient to revoke consent. The FCC’s TCPA Report and Order requires companies to honor opt-out requests “as soon as practicable,” and in any event “no longer than 10 business days.” CAN-SPAM imposes a similar 10 business-days term for covered commercial electronic mail messages. Following revocation, the organization is entitled to a single follow-up message confirming that the consumer will not receive future texts. Internal DNC records must be updated with every opt-out request, and the request must be honored for five years from the time it is made.

8. Screen Vendors for Compliance

Organizations that outsource their telemarketing campaigns to a third-party can be held liable for their vendor’s violations of the TCPA or CAN-SPAM. Under the TCPA, liability may arise in some circumstances, for instance where the organization lets a third-party access systems or data normally under its sole control, allows use of its branding, or drafts or reviews the telemarketer’s scripts. Under CAN-SPAM, liability attaches when a company is considered a “sender” or initiator of the message, or knows—or should know—that its products are being promoted in a non‑compliant message, expects economic benefit from the promotion, and takes no action to prevent the violation.

Consequently, organizations should choose third‑party telemarketing vendors that are reputable and trained in TCPA compliance. Contracts should require vendors to follow all federal and state telemarketing laws and to indemnify the organization for any violation.

9. Be Mindful of State Telemarketing Laws

In addition to federal law, state telemarketing and consumer protection laws can apply more stringent obligations. This patchwork of so-called “mini-TCPAs” complicates nationwide SMS marketing efforts, as some states maintain a separate DNC list, require telemarketers to register before contacting residents, or set specific quiet hours.

For example, a number of states maintain their own state DNC lists. In addition, many states require telemarketers to register at a state level to run campaigns, and some of these states also require posting a bond or meeting financial responsibility requirements.

State laws increasingly impose their own “quiet hours” and frequency limits on telemarketing, including text message outreach. These rules often restrict when commercial text messages may be sent, require businesses to adhere to the recipient’s local time zone, and cap the number of messages that may be delivered about the same subject within a given period. Some states also limit daily outreach frequency or impose additional conditions on certain types of communications.

Concluding Considerations

To respect consumers’ rights and avoid liability, organizations must align messaging strategies with clear compliance expectations. This means, among other things, obtaining and documenting consent, designing transparent messages, and honoring opt-outs promptly.

Compliance conscious practices are what separate sustainable text message marketing programs from costly legal failures. Organizations that monitor changes and update their programs will be best positioned to protect consumer rights and preserve competitive advantage.

VeraSafe offers practical assistance to help ensure compliant and resilient text message marketing practices. Book a free consultation to get started.

You may also like:
COPPA Compliance 2025: What Organizations Need to Know
U.S. Privacy Laws for Nonprofits  
How Organizations Can Prepare for U.S. Privacy Laws in 2026

Related topics: US Privacy Laws

Monthly Newsletter

Contact VeraSafe to discuss your data security management and privacy program today.

Get a Quote Now

Related Posts