SMS Compliance Made Simple: TCPA, 10DLC & Beyond

SMS compliance isn't the most exciting topic in marketing, but it might be the most important. Getting it wrong can result in fines of $500 to $1,500 per message, class action lawsuits, carrier penalties, and permanent damage to your brand's reputation. Getting it right protects your business and actually improves your marketing performance — because compliant lists are engaged lists.

This guide breaks down everything you need to know about SMS compliance in 2026, from the foundational TCPA requirements to the newer 10DLC registration system and international regulations.

TCPA: The Foundation of SMS Compliance

The Telephone Consumer Protection Act (TCPA) is the primary federal law governing text message marketing in the United States. Enacted in 1991 and updated multiple times since, it establishes clear rules for when and how businesses can send text messages to consumers.

Express Written Consent

The most critical TCPA requirement is obtaining express written consent before sending marketing messages. This consent must be clear, conspicuous, and unambiguous. The consumer must know they're agreeing to receive text messages, understand what types of messages they'll receive, know the approximate frequency of messages, and be informed that consent is not a condition of purchase.

Valid consent can be obtained through website forms with clear disclosure language, text-to-join keywords (texting a keyword to a short code), paper forms signed by the consumer, and point-of-sale opt-in with electronic signature. Simply having someone's phone number is not consent. Purchasing phone number lists is not consent. Having consent to send transactional messages does not mean you have consent to send marketing messages.

Opt-Out Requirements

Every marketing message must include a clear way to opt out, and opt-out requests must be honored immediately. The industry standard is to include "Reply STOP to unsubscribe" in messages and process opt-outs within seconds. If someone texts STOP, UNSUBSCRIBE, CANCEL, END, or QUIT, your system must automatically remove them from future messages.

Quiet Hours

TCPA prohibits sending marketing messages before 8:00 AM or after 9:00 PM in the recipient's local time zone. This means you need to know (or reliably infer) the time zone of each contact and ensure your sending systems respect these boundaries. Some states have even stricter rules — Florida, for example, restricts messages to 8:00 AM – 8:00 PM.

10DLC: The New Standard for Business Messaging

10DLC (10-Digit Long Code) is the carrier-mandated registration system for businesses sending application-to-person (A2P) messages through standard 10-digit phone numbers. As of 2025, 10DLC registration is required by all major US carriers (AT&T, T-Mobile, Verizon) for any business sending SMS marketing.

How 10DLC Registration Works

The registration process has two components: brand registration, which verifies your business identity with The Campaign Registry (TCR), and campaign registration, which describes the type of messages you'll send and gets approved by carriers. Brand registration requires your EIN, business address, website, and contact information. Your brand receives a trust score that determines your messaging throughput limits.

Why 10DLC Matters

Unregistered messages face aggressive carrier filtering and are increasingly blocked entirely. Registered 10DLC messages get better deliverability rates and higher throughput. Think of it like email authentication (SPF, DKIM, DMARC) — it's a trust signal that tells carriers your messages are legitimate.

GDPR and International Compliance

If you have customers in the European Union, you need to comply with GDPR in addition to TCPA. GDPR requires explicit consent for marketing communications, the ability for individuals to access, correct, and delete their data, data processing agreements with any third parties handling personal data, clear documentation of your legal basis for processing, and prompt breach notification (within 72 hours).

Canada's CASL, Australia's Spam Act, and the UK's PECR each have their own requirements. If you're sending messages internationally, work with legal counsel to ensure compliance in each jurisdiction where you have subscribers.

Practical Compliance Checklist

Here's a checklist you can use to audit your SMS compliance:

• All contacts have provided express written consent specifically for SMS marketing
• Consent records are stored and easily retrievable (date, time, method, and language shown)
• Every marketing message includes opt-out instructions
• Opt-outs are processed automatically and immediately
• Messages are only sent during permitted hours (8 AM – 9 PM recipient local time)
• Your 10DLC brand and campaign registrations are active and approved
• Message frequency matches what was disclosed at opt-in
• Your privacy policy accurately describes your SMS practices
• You have a process for handling data access and deletion requests
• Your team is trained on compliance requirements and best practices

How TextUp Handles Compliance

The best SMS platforms build compliance into the product so you don't have to think about it constantly. TextUp includes automatic opt-out processing for STOP and related keywords, quiet hours enforcement based on recipient time zone, consent tracking and record-keeping, 10DLC registration assistance and management, built-in compliance language for opt-in forms, and automatic frequency capping to prevent over-messaging.

These tools don't replace your responsibility to understand the regulations, but they significantly reduce the risk of accidental violations and make it easier to maintain a compliant program as you scale.

The Bottom Line

SMS compliance isn't a burden — it's a competitive advantage. Brands that maintain clean, consent-based lists see higher engagement, better deliverability, lower opt-out rates, and zero legal liability. The businesses getting in trouble are the ones taking shortcuts with consent or ignoring opt-out requests. Don't be one of them. Build your SMS program on a foundation of compliance and watch it perform better than any shortcut ever could.