Understanding TCPA and CTIA Compliance for SMS Marketing in the US

Disclaimer:

The information in this post is for informational purposes only. Please contact your legal team to obtain advice with respect to any particular issues or concerns regarding TCPA compliance.

What Is the TCPA?

The Telephone Consumer Protection Act (TCPA) is a United States federal law governing the regulation of telephone solicitations. The TCPA was first signed into law in 1991 and has remained the bedrock of federal telemarketing regulations ever since.

Who Must Comply With the TCPA?

Because the TCPA regulates all telephone solicitations, any person, business, or entity that markets or sells their products or services over the phone — including voice calls, faxes, VoIP calls, and text messages —  is subject to the TCPA. 

Brands using or planning to use SMS marketing should be aware of Sections 4 and 5 of the TCPA’s definition, which define what they mean by “telephone solicitation” and “unsolicited advertisement.” 

Why Does the TCPA Matter for SMS Marketing?

You cannot send unsolicited marketing text messages to your customers unless they voluntarily give you prior express written consent, which the FCC defines as:

“A written agreement between the caller and the receiver of the call that clearly authorizes the caller to deliver advertisements or telemarketing messages using an automatic telephone dialing system or an artificial pre-recorded voice.”

This consent must specify the phone number to be called and include the receiver’s written or electronic signature, which could be a button press confirming the agreement. The caller must also disclose that consent is not a condition of purchase.

Typically, consent is captured via opt-in forms on your website or during checkout. The consent language must be clearly communicated and separate from other terms.

If you already have phone numbers from your customers, can you just start sending them marketing messages? No. Having someone’s phone number does not mean you have permission to text them. They must explicitly opt in to marketing communications from your brand.

Consent is tied to the owner of the phone number, not the phone number itself. And if you operate a family of brands, consent to SMS from one brand does not mean consent to SMS from another. Each consent must be captured separately and clearly defined.

Transactional vs. Promotional Messages

The TCPA applies different consent standards depending on the type of message you send:

Promotional/marketing messages require prior express written consent (the higher standard). These include discount offers, product announcements, flash sales, upsell campaigns, and any message designed to promote or advertise.

Transactional/informational messages require prior express consent, which can be oral or written (a lower standard). These include order confirmations, shipping updates, appointment reminders, account alerts, and password resets. However, transactional messages cannot contain promotional content. If you include a discount code in a shipping notification, the entire message may be classified as promotional.

Understanding this distinction is important. Many businesses overcollect consent for transactional messages or undercollect for promotional ones. The safest approach: obtain written consent for all SMS communications and clearly separate transactional from promotional messages in your workflows.

TCPA Requirements for SMS Marketers

Here are the key TCPA requirements for SMS marketing, along with Bloomreach solutions to help you stay compliant:

Consent

Above all else, capturing clear and unambiguous consent is the most important requirement of TCPA compliance. Without prior express written consent, you may not send marketing messages.

Bloomreach solution: Consent management + TCPA list validation

Make It Easy To Opt Out

The TCPA requires that customers can easily opt out of your SMS marketing program. The accepted method of unsubscribing is to respond to a text with “STOP.”

Since April 2025, FCC rules require businesses to accept opt-out requests through any reasonable method, not just keyword replies. This includes email, phone calls, website forms, chatbots, or even in-person requests. Businesses must process opt-out requests within 10 business days and may send a single confirmation message (within 5 minutes, with no promotional content) to clarify which types of messages the consumer wants to stop receiving.

It’s good practice to have easily accessible terms and conditions and periodically remind recipients of how to opt out so they aren’t frustrated or confused by the process.

Bloomreach solution: Consent management and keyword opt-outs

Send Time Restrictions (Silent Hours)

The TCPA stipulates that text messages may not be sent before 8 a.m. or after 9 p.m. in the recipient’s time zone. Certain states are more restrictive. Florida, Oklahoma, and Washington state laws dictate texts can only be sent between 8 a.m. and 8 p.m. in the recipient’s local time zone. Texas SB 140, which took effect in September 2025, restricts automated messages to between 9 a.m. and 9 p.m. local time.

To avoid risk, send texts between 9 a.m. and 8 p.m. and ensure time zones are respected.

Bloomreach solution: Silent hours in scenarios

Identification Requirements

The TCPA requires the sender to provide their name, the name of the company they’re communicating on behalf of, and a telephone number or address which can be used to contact them again. This information should appear in your first message to new subscribers.

Bloomreach solution: Brand name

Message Frequency Guidelines

The TCPA does not set strict limits on SMS frequency, but excessive messaging can be perceived as harassment and increases compliance risk. Most brands follow a general guideline of 1-2 promotional messages per week. Carrier-enforced policies add further restrictions:

• Abandoned cart messages should be limited to one message per unique cart event
• Abandoned cart messages must be sent within 48 hours of the event

Offering subscribers the ability to customize their message frequency (weekly, monthly, or promotional-only) reduces opt-outs and builds trust.

Bloomreach solution: Frequency policy

Record-Keeping Requirements

Maintaining detailed records of consent is your strongest defense in a TCPA complaint or lawsuit. Businesses should track:

• When and how consent was obtained (exact date, time, and method)
• The exact language of the consent agreement shown to the consumer
• The contact details of the recipient (phone number tied to consent)
• Opt-out requests and processing dates

Retain these records for at least five years. Courts and regulators expect businesses to produce documented proof of consent when challenged.

Internal Do Not Call (DNC) List

The TCPA requires callers and senders to maintain an internal do-not-call database of consumers who have asked not to be called or texted.

Bloomreach solution: Consent management and keyword opt-outs

National Do Not Call Registry

Marketers are required by the TCPA to suppress phone numbers on the National Do Not Call Registry. Some states maintain their own DNC lists as well, separate from the federal list.

Bloomreach solution: TCPA list validation

What Are the Penalties for Violating TCPA Regulations?

TCPA violations carry serious financial consequences:

• $500 per violation for standard infractions
• $1,500 per willful violation (treble damages)
• Up to $43,792 per violation for DNC list infractions

There is no cap on statutory damages, so repeat violations can result in millions of dollars in penalties. TCPA violations are frequently pursued as class-action lawsuits, which compound the cost quickly.

Recent TCPA SMS Settlements

Recent settlements illustrate the financial stakes of non-compliance:

• Clover Network (2024): $15 million for sending over 1 million unsolicited marketing texts without consent
• Cash App (2025): $12.5 million for unsolicited referral program texts sent without clear consent
• Zales Jewelers (2025): $7.5 million for SMS marketing violations
• DSW / Designer Brands (2025): $4.42 million for continuing to send marketing texts after consumers opted out

The pattern across these cases is clear: the largest settlements involve either sending texts without any consent at all or continuing to text after opt-out requests. Both scenarios are preventable with proper compliance infrastructure.

What Are the Biggest TCPA Risks?

Reassigned Numbers

Nearly 100,000 numbers are reassigned each day. Since consent is associated with the called party and not the phone number, contacting reassigned numbers carries significant TCPA risk.

The FCC’s Reassigned Numbers Database (RND) mitigates this risk. Operational since November 2021, the RND contains data on over 152 million U.S. phone numbers that have been permanently disconnected. Businesses can query the RND before sending messages to check whether a number has been reassigned since consent was obtained. A “No” response provides an FCC-recognized safe harbor against TCPA liability. Query your database at least every 45 days, matching the carrier aging period before number reassignment.

The RND is administered by SomosGov and available via subscription.

Bloomreach solution: Our TCPA list validation feature helps you automatically identify and remove deactivated numbers, known TCPA litigators, and DNC registrants from your list.

Private Right of Action

TCPA allows individuals to sue brands directly for violations and statutory damages. While individuals can initiate legal action, TCPA violations are often pursued as class-action lawsuits, which compound costs rapidly.

Personal Liability

In certain situations, executives and compliance officers are being targeted personally for litigation stemming from TCPA penalties.

DNC Violations

Following the Supreme Court’s decision in Facebook v. Duguid, TCPA litigators have turned their focus to alleging DNC violations by organizations. There are different DNC lists (federal, state, and internal), and DNC compliance is taking on renewed importance. Failure to scrub against all applicable lists before sending is one of the most common triggers for TCPA litigation.

TCPA Exemptions

Certain types of messages are exempt from full TCPA consent requirements:

Emergency messages are fully exempt. Severe weather alerts, public safety warnings, school lockdown notifications, and medical emergencies can be sent without prior consent.

Healthcare messages under HIPAA may be sent with prior express consent (not written). This includes appointment confirmations, prescription notifications, pre-operative instructions, and lab result notifications. These messages cannot contain marketing content.

Non-commercial messages from nonprofits, political organizations, and charitable entities often fall outside TCPA marketing rules. However, if the message contains any commercial promotion, standard TCPA rules apply.

Informational/transactional messages require prior express consent (not written) when they are purely informational. Order confirmations, shipping updates, and account alerts fall into this category, as long as they contain no promotional content.

If you believe your messages may qualify for an exemption, consult your legal team. Exemptions are nuanced, and misclassifying a promotional message as informational can result in violations.

What Is the CTIA?

The CTIA (Cellular Telecommunications Industry Association) is a trade association that represents all sectors of wireless communications. The CTIA has established messaging guidelines to help companies stay compliant with local and federal SMS regulations.

Unlike the TCPA, the CTIA messaging guidelines are principles and best practices that rely on voluntary compliance, not legal enforcement. You won’t be fined for failing to follow them. However, carriers reserve the right to shut down short codes and block senders that violate these guidelines. While not legal requirements, they should not be treated as suggestions.

SHAFT Content Restrictions

The CTIA’s SHAFT guidelines specify what type of content is restricted in marketing text messages. SHAFT stands for Sex, Hate, Alcohol, Firearms, and Tobacco (including CBD).

• Content regarding controlled substances and adult content must be age-gated
• Depictions or endorsements of violence or hate are prohibited
• No inappropriate or sexual content
• Profanity or hate speech is not allowed
• Endorsements of illegal or illicit drugs are forbidden

Products that are federally legal (such as alcohol) can be marketed via SMS as long as age-gating is in place, requiring recipients to confirm they are at least 21 years old before receiving messages.

What Changed: TCPA Updates for 2025-2026

The TCPA regulatory landscape has shifted significantly since mid-2024. If your SMS compliance practices haven’t been updated recently, review these developments with your legal team.

April 2025: New FCC Opt-Out Rules

The FCC’s updated consent revocation rules took effect on April 11, 2025, with several key changes:

Expanded opt-out methods. Consumers can now revoke consent through any reasonable method, not just keyword replies. Businesses must accept opt-outs via text (“STOP,” “quit,” “end,” “revoke,” “opt out,” “cancel,” “unsubscribe”), email, phone calls, website forms, chatbots, or in-person requests. Consumers may also respond in the language in which they received the communication.

10-business-day processing window. Businesses must honor opt-out requests within 10 business days, down from the previous 30-day standard.

Single clarification message. You may send one clarification text within 5 minutes of receiving a revocation request to confirm which message types the consumer wants to stop. This message cannot contain any promotional content. If the consumer doesn’t respond, the opt-out applies to all automated messages from your brand.

A related “revoke-all” provision, which would have required a consumer’s opt-out to apply across all communication types and channels, has been delayed to at least April 2026 and may be eliminated entirely under the FCC’s October 2025 rulemaking proposal.

February 2025: One-to-One Consent Rule Vacated

In December 2023, the FCC adopted a rule requiring that consent be specific to a single identified seller (closing the “lead generator loophole”). Just before taking effect in January 2025, the 11th Circuit Court of Appeals permanently vacated the rule in Insurance Marketing Coalition v. FCC, finding that the FCC’s one-to-one and topic restrictions conflicted with the TCPA’s statutory text.

Current status: The one-to-one consent rule is no longer in effect. Businesses follow the pre-2023 TCPA definition of prior express written consent, which does not mandate seller-specific approvals. Lead generators can continue obtaining consent for multiple sellers via a single form, provided the consent is clear and the consumer understands what they are agreeing to.

February 2026: Fifth Circuit Decision on Written Consent

In Bradford v. Sovereign Pest Control (February 25, 2026), the Fifth Circuit Court of Appeals ruled that the TCPA requires only “prior express consent” for automated telemarketing calls and texts, not “prior express written consent” as the FCC’s regulations require. The court found that the FCC’s regulation adding the “written” requirement exceeded the statutory text. This decision was influenced by the Supreme Court’s 2024 Loper Bright ruling, which eliminated judicial deference to agency interpretations.

What this means for marketers: In the Fifth Circuit (Texas, Louisiana, Mississippi), oral consent may now suffice for TCPA compliance. However, this only applies in those three states. Other circuits and the FCC’s own rules still mandate written consent. Oral consent is also significantly harder to document and prove in litigation.

Our recommendation: Continue obtaining written consent for all SMS marketing nationwide. Written consent remains the safest practice and provides the strongest legal defense regardless of jurisdiction.

September 2025: Texas SB 140

Texas Senate Bill 140 imposed additional requirements on automated text messages sent to Texas residents, including stricter quiet-hour restrictions (9 a.m. to 9 p.m. local time) and enhanced penalties for violations. A November 2025 settlement clarified that businesses running genuine opt-in SMS programs are effectively exempt from Chapter 302’s telemarketing registration and bonding requirements. Read our detailed breakdown of Texas SB 140 for full compliance guidance.

Mobile OS Changes Affecting SMS Delivery

While not regulatory changes, recent updates from Apple and Google affect how SMS marketing messages are delivered and received:

• Apple iOS 26 introduces expanded message filtering that can send messages from unknown senders to a separate folder, potentially reducing visibility of welcome and confirmation texts.
• Android Google Messages updates add link warnings, inbox filters, and in-thread unsubscribe buttons that make opting out easier.

These changes reinforce the importance of clear opt-in flows, branded sender IDs, and high-value message content. Encourage subscribers to save your number as a contact during onboarding.

How To Stay TCPA and CTIA Compliant With Bloomreach

With Bloomreach, you have all the tools you need to keep your SMS marketing compliant with laws and regulations. Our platform offers built-in protection with inherent TCPA and CTIA compliance so your campaigns are never in doubt.

Here’s what every SMS marketer should do to stay compliant, along with the specific ways our solution helps:

Capture Consent With Compliant Sign-Up Units

There are multiple ways your customers can join your SMS marketing program. Some sign up via on-site pop-ups while others give consent during checkout.

Regardless of the method, your opt-in process must properly inform customers that their phone number will be used for marketing purposes, that they can opt out at any time, and that you’ll never share their information. You should also provide links to your terms of service and privacy policy.

This is easy to do with Bloomreach, which guides marketers through the setup of these compliance requirements. You can build the ideal sign-up forms for your SMS marketing initiatives and include all the necessary information to maintain compliance.

If you want to collect both email and SMS consent simultaneously, you must capture clear and unambiguous consent for each program as a separate opt-in. Subscribers cannot enter both phone and email information on the same screen with a single submission button, as SMS consent may be misinterpreted as forced. With Bloomreach, you can implement our multi-step sign-up units to grow both your email and SMS lists quickly and compliantly.

Consent Language Examples

Your opt-in language must be specific and transparent. Here are examples of compliant consent language for different scenarios:

Web form opt-in:

“[By checking this box/By submitting this form] and providing your phone number, you agree to receive recurring automated marketing messages, including cart reminders, at the phone number provided, even if that number is on a state or national do not call registry. Consent is not a condition of purchase. Reply STOP to unsubscribe. Reply HELP for help. Message frequency varies. Msg & data rates may apply. View our Privacy Policy and Terms of Service.”

Double opt-in confirmation:

“[Brand Name]: Reply YES to receive automated marketing messages and cart reminders. Msg frequency varies. Msg & data rates may apply. Reply HELP for help. Reply STOP to unsubscribe.”

In-store or text-to-join:

“Text JOIN to [short code] to receive exclusive offers from [Brand Name]. By texting JOIN, you consent to receive automated marketing texts. Consent is not required for purchase. Msg & data rates may apply. Reply STOP to opt out.”

Build Your Lists Quickly and Compliantly With Keywords

Keywords are a great way to increase your subscriber count through external sources such as social networks (Instagram stories, Facebook ads) or posters in brick-and-mortar shops (text to join). Be sure to use the required compliance language and provide a link to your terms of service and privacy policy.

Bloomreach collects phone numbers by combining consent management and weblayers. We provide templates drafted with TCPA and CTIA regulations in mind. You can find these templates in the platform with the prefix TCPA_CTIA.

Remove Customers Who Have Opted Out

Under the April 2025 opt-out rules, you must honor opt-out requests from any reasonable channel within 10 business days. When a customer replies with “STOP” or a similar keyword, your brand needs to respond immediately.

Bloomreach handles incoming SMS/MMS messages and picks up on opt-out messages instantly. When a customer replies with a configured opt-out keyword, a corresponding auto-response is executed immediately and their consent status is updated. You can set up multiple keywords to revoke consent to ensure subscribers have multiple ways to request removal from your program.

Meet CTIA Guidelines for Long Codes and Short Codes

The TCPA doesn’t regulate the provisioning of short codes, long codes, or toll-free numbers, although how these numbers are used must comply with TCPA requirements.

The CTIA reserves the right to shut down phone numbers for violations of the TCPA or CTIA messaging principles and best practices. All numbers must be registered, and each sender’s phone number collection processes must be vetted for compliance.

With Bloomreach, this compliance is built in. We partner with leading SMS providers like Sinch and Infobip to manage this process and ensure you get the green light before you start sending.

Short codes (five-to-six-digit numbers that texts are sent from) are considered the “gold standard” for SMS senders. While they come with a cost (around $500 per month), the rigorous approval process ensures you meet the highest compliance standards. Short-code senders are given higher messaging throughput and are prioritized by carriers for better deliverability.

Disclose Data Rates and Carrier Fees

According to the CTIA guidelines, you must make customers aware that data rates and carrier fees may apply. It’s usually as simple as including “Msg & data rates may apply” in your opt-in language.

See an example of the default opt-in message flow:

• CUSTOMER: [Enters phone number via a TCPA-compliant sign-up unit]
• BRAND: {{brand_name}}: Reply YES to receive automated marketing messages and cart reminders.
• CUSTOMER: YES
• BRAND: {{brand_name}}: Confirmed! Msg frequency varies. Msg & data rates may apply. Reply HELP for help. Reply STOP to unsubscribe.

Respect Send Time Restrictions (Quiet Hours)

Marketers should only send messages during TCPA-compliant timeframes, taking into account state-specific restrictions and local time zones. For nationwide campaigns, adjust for time zone differences: a text sent at 9 a.m. Eastern Time may still fall within quiet hours for recipients on the West Coast.

Bloomreach gives you the ability to define and control silent hours to pause campaigns until it is safe to send again. Our platform also supports AI-powered optimal send times that maximize engagement while staying within compliant windows.

Send Relevant Content

Make sure that the content you send is relevant, aligned with your brand, and delivers on the promises you made when convincing customers to subscribe. Always provide value and do not send messages just for the sake of sending them.

Remove Deactivated Numbers

Consent is tied to the owner of a phone number, not the phone number itself. Prior written consent becomes invalid if the customer who gave you consent no longer uses that phone number because it was deactivated or swapped.

When a person terminates their cellular plan, gets a new phone number, or changes carriers, they need to be removed from your SMS marketing program. Ignoring this process leads to spam complaints, carrier filtering, and legal action.

Use the FCC’s Reassigned Numbers Database to check whether numbers in your list have been reassigned, and scrub your list at least every 45 days. Bloomreach helps you automatically identify and remove deactivated numbers using our TCPA list validation feature, which also suppresses known TCPA litigators and DNC registrants.

Any abandoned cart messages (e.g., shopping cart reminders) should:

• Be limited to only one message per unique abandoned cart event
• Be sent within 48 hours of the unique abandoned cart

You can easily control the frequency of your SMS campaigns in Bloomreach Engagement using the frequency policy feature.

boohooMAN Drives 25x ROI With Compliant SMS

Compliance doesn’t mean sacrificing performance. UK fashion brand boohooMAN used Bloomreach to build a fully compliant SMS marketing strategy with double opt-in flows and personalized messaging. The results: a 5x overall ROI from SMS and a 25x ROI from an SMS birthday campaign. By combining proper consent capture with AI-powered personalization, boohooMAN proved that compliant SMS drives real revenue.

SMS Compliance Quick-Reference Checklist

Use this checklist to verify your SMS program meets TCPA and CTIA requirements:

• [ ] Consent captured: Prior express written consent obtained for all marketing messages
• [ ] Consent documented: Records include timestamp, method, and exact language shown
• [ ] Transactional messages separated: No promotional content in transactional texts
• [ ] Opt-out available: “STOP” keyword and multiple opt-out channels supported
• [ ] Opt-outs processed promptly: Within 10 business days (aim for real-time)
• [ ] Silent hours respected: Messages sent between 9 a.m. and 8 p.m. local time
• [ ] Sender identified: Business name included in every message
• [ ] DNC lists scrubbed: Federal, state, and internal DNC lists checked before sending
• [ ] Reassigned numbers checked: RND queried at least every 45 days
• [ ] Frequency controlled: No excessive messaging; abandoned cart limited to 1 per event within 48 hours
• [ ] Data rates disclosed: “Msg & data rates may apply” included in opt-in language
• [ ] SHAFT compliant: No restricted content; age-gating for applicable products
• [ ] Records retained: Consent records kept for at least 5 years

[ ] State laws reviewed: Texas SB 140, Florida, Oklahoma, Washington, and California requirements addressed

Stay Compliant With Bloomreach

TCPA compliance is non-negotiable, and the regulatory landscape continues to evolve. With Loomi AI, Bloomreach makes it easy to stay compliant with TCPA regulations, follow CTIA best practices, and adapt to new rules as they take effect.

Loomi AI includes TCPA list validation that automatically scrubs against DNC lists, deactivated numbers, reassigned numbers, and known litigators. Combined with consent management, silent hour enforcement, frequency policies, and a full suite of SMS marketing capabilities, you get compliance and performance from one platform.

See how Bloomreach keeps your SMS marketing compliant and high-performing.