Understanding TCPA and CTIA Compliance for SMS Marketing in the US

Disclaimer:

The information in this post is for informational purposes only. Please contact your legal team to obtain advice with respect to any particular issues or concerns regarding TCPA compliance.

What Is the TCPA?

The Telephone Consumer Protection Act (TCPA) is a United States federal law governing the regulation of telephone solicitations. The TCPA was first signed into law in 1991 and has remained the bedrock of federal telemarketing regulations ever since.

Who Must Comply With the TCPA?

Because the TCPA regulates all telephone solicitations, any person, business, or entity that markets or sells their products or services over the phone — including voice calls, faxes, VoIP calls, and text messages —  is subject to the TCPA. 

Brands using or planning to use SMS marketing should be aware of Sections 4 and 5 of the TCPA’s definition, which define what they mean by “telephone solicitation” and “unsolicited advertisement.” 

Why Does the TCPA Matter for SMS Marketing?

Essentially, you cannot send unsolicited marketing text messages to your customers unless they voluntarily give you prior express written consent, which is defined by the Federal Communications Commission (FCC) as: 

“A written agreement between the caller and the receiver of the call that clearly authorizes the caller to deliver advertisements or telemarketing messages using an automatic telephone dialing system or an artificial pre-recorded voice.” 

This type of prior express consent must specify the phone number to be called and must also include the receiver’s written or electronic signature, which could simply be a button press confirming the agreement. The caller must also disclose that consent is not a condition of purchase.

Typically, consent is captured via opt-in forms on your website or during checkout — just be sure that the consent language is clearly communicated.

This raises another common question with customer data: If you already have phone numbers from your customers, can you just start sending them marketing messages? 

Unfortunately, no. Just because you have someone’s phone number, that doesn’t mean you have permission to text them. They must explicitly opt in to marketing communications from your brand. Transactional messaging (such as order confirmations or shipping updates) is also not exempt from this requirement, and requires a distinct opt in as well.

It is important to remember that consent is tied to the owner of the phone number, not the phone number itself.

It’s also crucial to note that if you have a family of brands, consent to SMS from one brand does not mean they’ve given consent to SMS from another brand. Each consent must be captured separately and be clearly defined.

What Are the Penalties for Violating TCPA Regulations?

TCPA violations can result in penalties of $500 per violation, with willful violations going up to $1,500 per violation. There is no cap on statutory damages, so repeat violations may result in millions of dollars in penalties.

What Are Some of the Requirements of the TCPA for SMS Marketers?

Here are some of the most important TCPA requirements for SMS marketing, along with Bloomreach solutions to help you stay compliant:

Consent

• Above all else, capturing clear and unambiguous consent is the most important requirement of TCPA compliance.
• Without prior express written consent, you may not send marketing (or transactional!) messages.
• Bloomreach Engagement solution: consent management + TCPA list validation

Make It Easy To Opt Out

• The TCPA requires that customers are able to easily opt out of your SMS marketing program.
• It’s good practice to periodically remind recipients of how to opt out of receiving messages from you, so that they aren’t frustrated or confused by the process
• The accepted method of unsubscribing from SMS marketing is to respond to a text saying “STOP,” but it is ideal to set up other keywords or “fuzzy” opt-outs to prevent frustration.
• Bloomreach Engagement solution: consent management and keyword opt-outs

Send Time Restrictions (Silent Hours)

• The TCPA stipulates telephone solicitation (including text messages) may not occur anytime before 8 a.m. or after 9 p.m. in the recipient's time zone, but certain states are more restrictive. Florida, Oklahoma, and Washington state laws impose stricter requirements that dictate texts can only be sent between the hours of 8 a.m. and 8 p.m. in the recipient's local time zone. To avoid risk, marketers should only send texts between 9 a.m. and 8 p.m. and ensure time zones are respected.
• Bloomreach Engagement solution: silent hours in scenarios

Identification Requirements

• Among other things, the TCPA requires the caller/sender to provide their name, the name of the company they’re calling on behalf of, and a telephone number or address which can be used to contact them again.
• Bloomreach Engagement solution: brand name

Internal Do Not Call (DNC) List

• Callers/senders are required by the Telephone Consumer Protection Act are required to maintain an internal do not call database of consumers who have asked not to be called or texted.
• Bloomreach Engagement solution: consent management and keyword opt-outs

National Do Not Call Registry

• Marketers are required by the TCPA to suppress phone numbers on the National Do Not Call Registry. Remember that some states have their own local DNC lists as well, separate from the federal list.
• Bloomreach Engagement solution: TCPA list validation

What Are Some of the Biggest TCPA Risks?

Reassigned numbers

Nearly 100,000 numbers are reassigned each day. Since consent is associated with the called party and not the phone number, the possibility of contacting reassigned numbers brings significant TCPA risk.

Private right of action

TCPA allows individuals to sue brands directly for violations and statutory damages, which makes avoiding them all the more imperative. While individuals can initiate legal action, TCPA violations are often pursued as class-action lawsuits, which can quickly compound the cost ramifications of bad senders.

Personal liability

In certain situations, executives and compliance officers are being targeted personally for litigation stemming from TCPA penalties. This risk compounds the punitive nature of TCPA litigation.

DNC violations

Following the Supreme Court’s decision in Facebook v. Duguid, TCPA litigators have turned their focus to alleging DNC violations by organizations. Additionally, an increased emphasis on state-level telemarketing regulations is likely to raise the risk level of DNC violations. There are different DNC lists — federal, state, and internal DNC — and DNC compliance is taking on renewed importance.

What Is the CTIA?

The CTIA, or Cellular Telecommunications Industry Association, is a trade association and nonprofit organization that represents all sectors of wireless communications, cellular, and personal communication services. As part of their work in advocacy and research services, the CTIA has established messaging guidelines to help companies stay compliant with local and federal SMS regulations.

Unlike the TCPA, the CTIA messaging guidelines are actually a set of principles and best practices that rely on voluntary compliance, not legal enforcement. You won’t be fined for failing to follow the CTIA messaging guidelines. However, the carriers reserve the right to shut down short codes and block senders that violate these guidelines. While they are not legal requirements, they should not be treated as simply suggestions.

Following the CTIA messaging guidelines is a great way to help ensure that your SMS program remains legally compliant while also preventing costly impacts to the business in the case of a blocked sender.

How Bloomreach Helps You Stay TCPA and CTIA Compliant

Capturing Consent

There are multiple ways your customers can join your SMS marketing program. To follow the regulations and guidelines, always be clear with customers about how you will use their information. 

Compliant Sign-up 

The most common ways to capture SMS consent are via on-site pop-ups or during the checkout process. Regardless of what method you use, the opt in must properly inform customers that their phone number will be used for marketing purposes only, that they can opt out at any time, and that you’ll never share their information with anyone. You should also provide links to your terms of service and privacy policy, where customers can view the most accurate description of how you capture and process their information.

If you want to collect both email marketing and SMS marketing consent simultaneously, you must capture clear and unambiguous consent for each program as a separate opt-in. In other words, new subscribers cannot enter both phone and email information on the same screen with a single button for submission, as SMS consent may be misinterpreted as forced. Bloomreach created our multi-step sign-up units with this in mind to ensure you can grow your email and SMS lists quickly and compliantly.

See an example of the required opt-in language we include in all sign-up units by default:

“[By checking this box/By submitting this form] and providing your phone number, you agree to receive recurring automated marketing messages, including cart reminders, at the phone number provided, even if that number is on a state or national do not call registry. Consent is not a condition of purchase. Reply STOP to unsubscribe. Reply HELP for help. Message frequency varies. Msg & data rates may apply. View our Privacy Policy and Terms of Service.”

Keywords

Bloomreach Engagement also allows your customers to join your SMS marketing program via keywords. This is a great way to increase your subscriber count through external sources such as social networks (Instagram stories, Facebook ads, and others) or posters in brick-and-mortar shops (text to join). Be sure to use the required compliance language, and also provide a link to your terms of service and privacy policy. 

Additionally, Bloomreach Engagement can help you collect phone numbers for your SMS marketing program by combining consent management and weblayers. We provide templates drafted with TCPA and CTIA regulations in mind. You can find all of these templates in the Engagement platform with the prefix TCPA_CTIA.

Removing Customers Who Have Opted Out

The TCPA requires that customers can easily opt out of your SMS marketing program. The accepted method of unsubscribing from SMS marketing is to respond to a text with “STOP.”

Bloomreach Engagement handles incoming SMS/MMS messages, and when a customer replies to a message with one of the configured opt-out keywords, the corresponding auto-response is executed immediately and their consent status is updated to reflect the opt-out. You can set up multiple keywords to revoke consent to ensure your subscribers have multiple ways to request removal from your SMS program.

Meeting CTIA Guidelines for Long Codes and Short Codes

When considering governance of actual phone numbers, the TCPA doesn’t have anything to do with provisioning short codes, long codes, or toll-free numbers, although how these numbers are used must still comply with TCPA requirements. 

The CTIA reserves the right to shut down phone numbers for violations of the TCPA in addition to failing to follow the CTIA’s messaging principles and best practices. Short codes, long codes, and toll-free numbers must be registered, and require each sender and their phone number collection processes to be vetted to ensure they are compliant with both the TCPA and CTIA. Bloomreach partners with leading SMS providers like Sinch and Infobip to manage this process for you and ensure you get the green light before you start sending.

Short codes (an easy-to-remember, five-to-six-digit number that texts are sent from) are considered the “gold standard” for SMS senders. While they do come with a cost (around $500 per month per phone number), the rigorous approval process ensures that you are meeting the highest standards of compliance. Short-code senders are given special privileges in the form of higher messaging throughput and are prioritized by telephone service rpoviders for better deliverability. If compliance is of the highest priority for your brand, investing in a short code can pay dividends.

Disclosing Data Rates and Carrier Fees

According to the CTIA guidelines, you have a responsibility to make the customer aware that data rates and carrier fees may apply to the text messages they receive from your SMS marketing program. It’s usually as simple as saying “Msg & data rates may apply” in your opt-in text to consumers. This should also be part of your opt-in language.

See an example of the default language for opt-in messages:

• CUSTOMER: [Enters their phone number via a TCPA-compliant sign-up unit]
• BRAND: {{brand_name}}: Reply YES to receive automated marketing messages and cart reminders. 
• CUSTOMER: YES
• BRAND: {{brand_name}}: Confirmed! Msg frequency varies. Msg & data rates may apply. Reply HELP for help. Reply STOP to unsubscribe.

Respecting TCPA Send Time Restrictions (Quiet Hours)

Marketers should only send messages during specific timeframes, as outlined by the TCPA. You must also take into consideration state-specific restrictions and local time zones.

Bloomreach Engagement gives you the ability to define and control silent hours to temporarily pause the sending of your campaigns to customers until it is safe to send to them again.

6. Sending Relevant Content and Avoiding SHAFT

Make sure that the content you are sending to your customers is relevant, aligned with your brand, and delivers on the promises you made when convincing them to subscribe. Always provide value and do not send messages just for the sake of sending them.

Follow the SHAFT (Sex, Hate, Alcohol, Firearms, Tobacco [including CBD]) guidelines by the CTIA. This acronym specifies what type of content is prohibited in marketing text messages. It has to be taken seriously by anyone using SMS to communicate with their consumers to ensure they are compliant with the CTIA, as well as fostering positive relationships with their consumers.

CTIA SHAFT guidelines:

• Content regarding controlled substances and adult content must be age-gated
• You can’t disperse content with depictions or endorsements of violence or hate
• No inappropriate content or content that is sexual in nature
• Don’t send messages containing profanity or hate speech
• Endorsements of illegal or illicit drugs are forbidden

7. Keeping the Frequency Policy Under Your Control

Since June 2021, carriers have enforced new policies for abandoned shopping carts and abandoned checkout flows to ensure that their users receive a consistent experience. 

Any abandoned cart messages (e.g., shopping cart reminders) should:

• Be limited to only one message per unique abandoned cart event
• Be sent within 48 hours of the unique abandoned cart

You can easily control the frequency of your SMS campaigns in Bloomreach Engagement using the frequency policy feature.

8. Removing Deactivated Numbers

Remember, consent is tied to the owner of a phone number, not the phone number itself.

Prior express written consent becomes invalid if the customer who gave you the consent no longer uses that phone number because it was deactivated or swapped.

In this case, any messages you send to the number are no longer TCPA compliant because the new owner of the number has not granted you prior express written consent.

This means that when a person terminates their cellular plan, gets a new phone number, or chooses to change their current carrier for another, they need to be removed from the SMS marketing program.

Ignoring this process may lead to an increase in spam complaints, which may in turn prompt carriers to filter your messages, and may also result in legal action (and hefty fines) for violating TCPA requirements.

Bloomreach Engagement can help you automatically identify and remove the deactivated numbers from your list using our TCPA list validation feature.

Stay Compliant With Bloomreach

Navigating the waters of compliant SMS marketing can be tricky, and it can also be costly if you don’t do it right. Bloomreach Engagement makes it easy for you to stay compliant with TCPA regulations and also follow CTIA best practices.

Want to learn more about all the ways that Bloomreach can help you stay compliant and execute incredible SMS campaigns? Read more about our TCPA list validation feature and learn all about the incredible SMS marketing capabilities you get from our platform.