SMS Marketing Compliance Checklist: Complete TCPA & 10DLC Guide for 2025

SMS marketing compliance isn't optional—it's mandatory. Violations cost $500 to $1,500 per message, and class-action lawsuits can bankrupt businesses overnight.

The regulatory landscape for text message marketing includes TCPA (Telephone Consumer Protection Act), TCPA guidelines, CTIA requirements, 10DLC registration, carrier-specific rules, and state-level regulations. It's complex, constantly evolving, and non-negotiable.

This comprehensive guide breaks down everything you need to know to run legally compliant SMS marketing campaigns in 2025.

The Cost of Non-Compliance

Why compliance matters:

TCPA violations:

• $500 per unsolicited text message
• $1,500 per message for willful violations
• Class-action lawsuits averaging $5-60 million
• Criminal penalties for egregious violations

Recent settlements:

• Papa John's: $16.5 million (2020)
• Jiffy Lube: $47 million (2020)
• Carnival Cruise Lines: $5 million (2019)
• McDonald's: $3.75 million (2019)

Carrier consequences:

• Number blacklisting (permanent ban)
• Reduced message delivery rates
• Brand flagged as spam
• Loss of 10DLC registration

Bottom line: Compliance is exponentially cheaper than non-compliance.

SMS Compliance Checklist: The Essentials

✅ 1. Get Explicit Written Consent

The rule: You MUST obtain explicit, written consent before sending ANY marketing text messages.

What constitutes valid consent:

• ✅ Clear opt-in language
• ✅ Explicit agreement to receive SMS marketing
• ✅ Disclosure of message frequency
• ✅ Clear statement about message and data rates
• ✅ Opt-out instructions
• ✅ Timestamp and record of consent

Valid opt-in example:
"By entering your phone number and clicking Submit, you agree to receive SMS marketing messages from [Brand Name]. Msg frequency varies. Msg & data rates may apply. Reply STOP to opt out."

Invalid opt-in examples:

• ❌ Pre-checked boxes
• ❌ "By making a purchase, you agree to marketing messages"
• ❌ Implied consent from email subscription
• ❌ Opt-out instead of opt-in approach

✅ 2. Identify Your Business Clearly

The rule: Every message must clearly identify who is sending it.

Compliant message structure:
"[Brand Name]: Your order has shipped! Track it here: [link]. Reply STOP to end."

Required elements:

• Business name in the message (first message minimum)
• Toll-free customer service number (available upon request)
• Physical business address (available upon request)

✅ 3. Provide Clear Opt-Out Instructions

The rule: Every marketing message must include simple, free opt-out instructions.

Standard opt-out language:
"Reply STOP to unsubscribe"
"Text STOP to opt out"
"Reply STOP to end"

Opt-out requirements:

• Must be FREE (no charges to opt out)
• Must process immediately (within 5 minutes maximum)
• Must send confirmation message
• Must honor across all campaigns (can't opt out of one campaign but remain in others)
• Must maintain DNC (Do Not Contact) list permanently

Opt-out confirmation example:
"You've been unsubscribed from [Brand Name] messages. You won't receive further texts. Text START to resubscribe."

✅ 4. Honor Opt-Outs Immediately

The rule: Process opt-out requests within 5 minutes and send confirmation.

Implementation:

• Automate opt-out processing (don't rely on manual review)
• Remove from ALL campaigns simultaneously
• Send confirmation message
• Maintain permanent DNC list
• Never re-add without explicit new opt-in

Legal requirement: Continuing to message after opt-out is a $500-$1,500 per message violation.

✅ 5. Respect Timing Restrictions

The rule: Don't send marketing messages outside acceptable hours.

Federal TCPA guidelines:

• ❌ Before 8 AM local time
• ❌ After 9 PM local time
• ✅ 8 AM - 9 PM local time

Best practices (higher engagement, lower complaints):

• ✅ 9 AM - 8 PM local time
• ✅ Avoid Sundays
• ✅ Avoid major holidays
• ✅ Consider time zones (send based on recipient's timezone, not yours)

Exception: Transactional messages (order confirmations, shipping updates, appointment reminders) can be sent outside these hours if necessary and expected.

✅ 6. Maintain Detailed Records

The rule: Keep records of all opt-ins, opt-outs, and messages sent.

Required records:

• Opt-in timestamp and date
• Opt-in source (website form, keyword, POS, etc.)
• Opt-in method (web form, checkbox, text-to-join)
• IP address (for web opt-ins)
• Copy of opt-in language shown to subscriber
• Phone number
• Consent scope (what they agreed to receive)
• All messages sent to that number
• Opt-out date and time (if applicable)

Retention period: Minimum 4 years (some states require longer)

Why records matter: In a lawsuit, YOU must prove you had consent. No records = automatic loss.

✅ 7. Include Required Disclosures

The rule: Opt-in forms must include specific disclosures.

Required disclosure language:
"By providing your phone number, you agree to receive marketing text messages from [Brand Name]. Consent is not a condition of purchase. Msg & data rates may apply. Msg frequency varies. Reply HELP for help, STOP to opt out."

Key elements:

• ✅ Clear statement of what they're agreeing to
• ✅ "Consent is not a condition of purchase" (if applicable)
• ✅ Message frequency expectations
• ✅ Msg & data rates disclosure
• ✅ HELP and STOP keywords
• ✅ Link to Terms & Conditions
• ✅ Link to Privacy Policy

✅ 8. Implement HELP Keyword Auto-Response

The rule: Provide automated helpful information when customers text HELP.

HELP auto-response example:
"[Brand Name] Support: For assistance, call 1-800-XXX-XXXX or visit [website]. Msg frequency varies. Reply STOP to end. Msg & data rates may apply."

Required in HELP response:

• Customer service contact information
• Opt-out instructions
• Message frequency reminder
• Msg & data rates disclosure

✅ 9. Don't Share or Sell Phone Numbers

The rule: Phone numbers collected for SMS marketing cannot be sold or shared without explicit consent.

Implications:

• Can't sell subscriber lists
• Can't share with affiliates without consent
• Can't use for different marketing purposes without consent
• Must disclose in Privacy Policy how phone numbers are used

Exception: Third-party SMS platforms processing messages on your behalf (they're service providers, not recipients of data).

✅ 10. Comply with State-Specific Laws

The rule: Federal law is the minimum. Some states have stricter requirements.

State-specific considerations:

California (CCPA/CPRA):

• Right to know what data you collect
• Right to delete personal information
• Right to opt out of data sales
• Requires Privacy Policy updates

Florida:

• Additional restrictions on automated calling/texting
• Stricter consent requirements

Illinois (BIPA):

• Biometric data restrictions
• Applies if using voice-based opt-ins

Action item: Consult with legal counsel about state-specific requirements in your target markets.

10DLC Registration: What You Need to Know

What is 10DLC?

10DLC = 10-Digit Long Code

10DLC is a system carriers (AT&T, T-Mobile, Verizon) implemented to verify legitimate businesses and reduce spam.

Why it matters:

• ❌ Without 10DLC registration: Your messages get filtered as spam, delivery rates drop to 30-50%, or messages are blocked entirely
• ✅ With 10DLC registration: 98%+ delivery rates, higher throughput, better sender reputation

As of 2023: 10DLC registration is MANDATORY for all A2P (Application-to-Person) messaging on long codes.

10DLC Registration Process

Step 1: Register Your Business

Provide:

• Legal business name
• Business address
• Tax ID (EIN)
• Business type
• Industry
• Website
• Contact information

Step 2: Create Brand Profile

Describe your business:

• What you do
• Why you're sending SMS
• Expected message volume
• Use case categories

Step 3: Register Your Campaign(s)

For each SMS campaign, provide:

• Campaign purpose (marketing, notifications, 2FA, etc.)
• Sample messages
• Opt-in process description
• Expected monthly volume
• Call-to-action details

Step 4: Wait for Approval

• Timeline: 2-7 business days typically
• Possible outcomes: Approved, Rejected, or Needs More Information

Step 5: Start Sending

Once approved, you can send messages with full carrier support.

10DLC Fees

One-time registration fees:

• Brand registration: $4-15
• Campaign registration: $10-25 per campaign

Monthly fees:

• Per-campaign fees: $10-25/month per campaign
• Varies by SMS platform and carrier

Total first-month cost: $50-100 (then $10-25/month ongoing)

10DLC Use Cases

Choose the use case that matches your SMS program:

Marketing:

• Promotional offers
• Abandoned cart recovery
• Product announcements
• Loyalty programs

Notifications:

• Order confirmations
• Shipping updates
• Appointment reminders
• Account alerts

2FA (Two-Factor Authentication):

• Login verification codes
• Password resets
• Security alerts

Customer Care:

• Two-way support conversations
• Feedback requests
• Surveys

Important: Each use case has different throughput limits and requirements.

10DLC Throughput Limits

Throughput = messages per second you can send

Typical limits:

• Verified business (standard): 60-240 messages/minute
• Unverified/low trust score: 6-15 messages/minute
• High trust score: 360-1200+ messages/minute

How to increase throughput:

• Register your brand with The Campaign Registry (TCR)
• Achieve higher trust score (vetted business info)
• Use multiple phone numbers for high-volume sending
• Consider short codes for highest throughput (1000+ messages/second)

Content Compliance: What You Can and Can't Say

Prohibited Content

Never include in SMS marketing:

1. Illegal products or services:

• Cannabis/marijuana (even in legal states)
• Gambling (with exceptions for licensed operators)
• Firearms
• Adult content
• Tobacco/vaping
• Pharmaceuticals without proper licensing

2. Phishing or scams:

• Impersonating government agencies
• Fake urgency ("Your account will be closed!")
• Requests for sensitive information (SSN, passwords, credit card numbers)

3. Misleading information:

• False claims
• Fake discounts
• Deceptive subject lines

4. Prohibited affiliates:

• Payday loans
• Debt relief services
• Work-from-home schemes
• Get-rich-quick schemes
• Cryptocurrency (restrictions vary)

Consequence: Carriers will block your messages, terminate your account, and blacklist your number.

Required Content Elements

Every marketing message must include:

1. Brand identification: Who is sending the message
2. Clear purpose: What the message is about
3. Call-to-action (if applicable): What you want them to do
4. Opt-out instructions: How to unsubscribe

Example compliant message:
"[Brand Name]: FLASH SALE! 50% off all shoes for the next 3 hours. Shop now: [link]. Reply STOP to end."

Elements:

• ✅ Brand Name
• ✅ Clear offer
• ✅ CTA (Shop now: [link])
• ✅ Opt-out (Reply STOP to end)

Special Compliance Considerations

TCPA Consent for Automated Calls and Texts

One-to-one consent rule: Consent given to one business does NOT transfer to another.

Example violation:

• Customer opts in for SMS from Restaurant A
• Restaurant A is acquired by Restaurant Chain B
• Restaurant Chain B cannot text the customer without NEW consent

What to do during acquisition: Send opt-in request to existing list explaining the change and asking for new consent.

Affiliate Marketing Compliance

The rule: You can't text someone just because an affiliate collected their phone number.

Compliant affiliate approach:

• Affiliate's opt-in form clearly states: "By opting in, you agree to receive messages from [Your Brand] and our partners including [Affiliate Brand]."
• Consent explicitly mentions your brand name
• Opt-in records include both businesses

Non-compliant: Generic "I agree to receive offers from partners" without naming specific brands.

Lead Generation Compliance

Problem: Many lead generation companies sell phone numbers claiming "consent is included."

Reality: Those phone numbers often lack proper consent for YOUR specific business.

Compliant approach:

• Only use leads where consent explicitly mentions your brand
• Verify opt-in language before purchasing leads
• Require vendor to provide opt-in records
• Test with small batch before full campaign

High-risk approach: Buying "SMS leads" from lead generators. Many result in TCPA violations.

Healthcare and HIPAA Considerations

The challenge: SMS marketing + healthcare = HIPAA compliance requirements.

HIPAA requirements for SMS:

• End-to-end encryption (standard SMS is NOT encrypted)
• Secure platform with Business Associate Agreement (BAA)
• Patient consent for electronic communications
• Access controls and audit trails
• Limited PHI in messages

Best practice for healthcare SMS:

• Use HIPAA-compliant SMS platform
• Limit messages to appointment reminders and general health tips
• Avoid including PHI in messages (use secure links instead)
• Get explicit consent for electronic communications

Financial Services Compliance

Additional regulations for banks, lenders, insurance:

GLBA (Gramm-Leach-Bliley Act):

• Must protect customer financial information
• Privacy notices required
• Opt-out options for information sharing

FCRA (Fair Credit Reporting Act):

• Restrictions on sending credit-related messages
• Required disclosures for credit offers

Dodd-Frank Act:

• Restrictions on debt collection messages
• Required disclosures

Best practice: Work with compliance counsel to ensure SMS programs meet financial services regulations.

Compliance Checklist for Every Campaign

Before sending ANY SMS campaign, verify:

Pre-Launch Checklist

Consent and opt-in:

• ☐ All recipients explicitly opted in
• ☐ Opt-in language is compliant
• ☐ Consent records are stored with timestamps
• ☐ Opt-in clearly identified your brand
• ☐ Consent is less than 18 months old (best practice)

Message content:

• ☐ Brand name included
• ☐ No prohibited content
• ☐ Clear call-to-action
• ☐ Opt-out instructions included
• ☐ Under 160 characters (or appropriately segmented)
• ☐ All links work and go to mobile-optimized pages

Technical setup:

• ☐ 10DLC registration complete and approved
• ☐ Sending number is registered
• ☐ STOP keyword auto-response configured
• ☐ HELP keyword auto-response configured
• ☐ Opt-outs process automatically
• ☐ DNC list is up-to-date and excluded from campaign

Timing:

• ☐ Messages schedule within 8 AM - 9 PM recipient local time
• ☐ Not scheduling on Sundays or major holidays
• ☐ Time zones correctly configured

Compliance:

• ☐ Campaign is registered for 10DLC
• ☐ Campaign use case matches registration
• ☐ Monthly volume within approved limits
• ☐ Legal review completed (if high-risk industry)

Post-Campaign Checklist

After every campaign:

• ☐ Monitor delivery rates (should be 98%+)
• ☐ Process all opt-outs immediately
• ☐ Review STOP responses for feedback
• ☐ Track complaints and adjust strategy
• ☐ Document campaign performance
• ☐ Update consent records for any changes

Building a Compliance-First SMS Program

Step 1: Choose a Compliant SMS Platform

Must-have features:

• 10DLC registration support
• Automatic STOP/HELP keyword handling
• Consent management and record keeping
• DNC list management
• Timezone detection
• Compliance reporting
• Carrier-approved content filtering

Red flags:

• No 10DLC support
• Manual opt-out processing
• No consent record storage
• "We'll handle compliance for you" without documentation

Step 2: Implement Proper Consent Collection

Best practices:

• Use double opt-in (opt-in + confirmation message)
• Store detailed consent records
• Make opt-in forms clear and conspicuous
• Never use pre-checked boxes
• Separate SMS consent from email consent

Example double opt-in flow:

1. User submits phone number on website
2. System sends: "Welcome to [Brand]! Reply YES to confirm your subscription and receive exclusive offers."
3. User replies YES
4. System sends: "You're confirmed! Get 15% off your first order: [link]. Reply STOP to opt out anytime."

Step 3: Train Your Team

Everyone who touches SMS marketing must understand:

• TCPA basics and penalties
• Opt-in requirements
• Opt-out processing
• Content restrictions
• 10DLC compliance
• When to escalate to compliance team

Regular training: Quarterly compliance refreshers, especially when regulations change.

Step 4: Conduct Regular Compliance Audits

Monthly audits:

• Review opt-out processing times
• Check STOP/HELP auto-responses
• Verify DNC list is current
• Spot-check consent records

Quarterly audits:

• Full review of opt-in language across all channels
• Audit consent record storage
• Review campaign messaging for compliance
• Check 10DLC campaign accuracy

Annual audits:

• Legal counsel review of entire SMS program
• Update policies and procedures
• Review industry regulation changes
• Update training materials

Step 5: Have a Response Plan for Complaints

What to do if someone complains:

1. Immediately stop sending messages to that number
2. Add to DNC list permanently
3. Review consent record for that subscriber
4. Document the complaint in detail
5. Investigate root cause (how did this happen?)
6. Respond professionally if direct complaint (don't argue, apologize, confirm they're removed)
7. Adjust processes to prevent recurrence

If you receive a legal demand:

• Contact your attorney immediately
• Preserve all records related to that subscriber
• Do not delete anything
• Do not respond without legal counsel

Conclusion: Compliance is Your Foundation

SMS marketing compliance isn't a checkbox—it's an ongoing commitment that protects your business, your reputation, and your customers.

The fundamentals never change:

• Get explicit written consent
• Identify your business clearly
• Provide easy opt-outs
• Honor opt-outs immediately
• Respect timing restrictions
• Keep detailed records
• Follow 10DLC requirements

The cost of compliance: Minimal (10DLC fees, compliant platform, proper processes)

The cost of non-compliance: Catastrophic ($500-$1,500 per message, lawsuits, blacklisting, business closure)

The choice is simple: Invest in compliance from day one.

Ready to build a compliant SMS marketing program? DMText provides built-in compliance tools including automatic STOP/HELP handling, consent management, 10DLC registration support, and compliance reporting. Start your compliant SMS program today with confidence.