Complete Guide to SMS Compliance Laws for Business Text Messaging in the US

If your business uses SMS to communicate with customers for marketing, service updates, or reminders, you need to follow a layered set of compliance rules. These rules come from federal regulators, industry groups, and mobile carriers, and they apply whether you're sending a handful of messages or thousands each day.

At Conversive, we work with over 5,000+ organizations that rely on SMS to engage their customers, particularly in industries like healthcare, finance, education, and legal services. What we’ve learned is that even experienced teams can sometimes overlook a requirement or misinterpret a rule. They realize it only when their messages get blocked.

This guide is built to help you get it right from the start. We’ll walk through each layer of SMS compliance:

• Federal law: What the TCPA requires, and how it defines valid consent.
• Industry standards: The CTIA messaging guidelines that carriers use to assess message quality.
• Carrier requirements: Including 10DLC registration, content restrictions, and sending time limits.

We’ll also cover the rules around opt-ins and opt-outs, banned content categories, and data recordkeeping. If you're working in a regulated space or simply want to avoid disruptions to your messaging programs, this is what you need to know.

Here’s a quick summary table of all the SMS compliance rules, guidelines and framework:-

‍

And now, let’s cover them in more detail:-

1. Telephone Consumer Protection Act (TCPA)

If you send marketing or promotional text messages in the US, the Telephone Consumer Protection Act (TCPA) applies to you. It’s a federal law enforced by the Federal Communications Commission (FCC), and it sets the ground rules for how and when you can text consumers.

The most important requirement is that you must get prior express written consent before sending any marketing texts. That consent must be specific, clearly worded, and captured before the first message goes out. It also needs to be stored properly so you can prove it later, especially in the event of a complaint or legal inquiry.

We’ve seen how easy it is for businesses to miss the mark here. Sometimes the language on a web form is vague. Sometimes consent is implied but not documented. These gaps can trigger penalties up to $1,500 per message plus long-term issues with message delivery and customer trust.

Here’s what your opt-in process needs to include:

• A clear statement that the recipient agrees to receive marketing texts.
• Your business name or brand, so there's no ambiguity about the sender.
• A brief description of what type of messages you’ll be sending.
• Disclosure that message and data rates may apply.
• The expected message frequency (e.g., “1–4 messages/month”).
• Instructions for opting out, like “Reply STOP to unsubscribe.”
• A record of how and when the user opted in with timestamp, source, and method.

Remember that you can’t rely on verbal consent, prior business relationships, or generic contact forms. The law requires clear, documented permission for every promotional text you send.

2. CTIA Messaging Principles

While the Telephone Consumer Protection Act is enforced by the government, CTIA rules are enforced by carriers, the ones actually delivering your messages. The Cellular Telecommunications Industry Association (CTIA) sets messaging standards that carriers use to decide whether to allow or block your campaigns.

If your campaign doesn’t follow CTIA guidelines, it may never reach your audience. We’ve seen cases where compliant businesses still got flagged simply because their opt-in flow or message copy missed a few critical details. Carriers tend to err on the side of caution so aligning with CTIA is just as important as following federal law.

CTIA rules are especially relevant when registering campaigns through 10DLC or other sanctioned messaging channels. They apply across all industries and use cases from appointment reminders to promotional campaigns.

Here’s what CTIA expects from your messaging:

• Clear brand identification in every message. Your recipients should always know who is texting them.
• Opt-out support using standard keywords like STOP, UNSUBSCRIBE, and HELP, and those keywords must actually work.
• Transparent opt-in confirmation that explains the program name, expected frequency, message types, and opt-out instructions.
• Avoidance of misleading or aggressive language. Spam-like tactics lead to filtered messages.
• Consistency between what users signed up for and what you send. Don’t change the message purpose midstream.

Even if you’ve already followed TCPA consent rules, CTIA compliance adds another layer. It's what allows your messages to flow smoothly through carrier networks and protects your long-term delivery reputation.

3. 10DLC Registration

If your business sends SMS messages using standard 10-digit phone numbers (also known as long codes), you're required to register your brand and messaging campaigns under the 10DLC system. This process was introduced by US mobile carriers to reduce spam and improve trust in application-to-person (A2P) messaging.

Often teams discover 10DLC requirements only after their messages start getting throttled or blocked. After February 3, 2025, 10DLC registration isn't optional, it’s now the baseline for sending A2P SMS in the US.

Here is what you need to register under 10DLC:

• Your brand: Legal business name, Employer Identification Number (EIN), and contact details.
• Campaign use case: What kind of messages you’ll send such as alerts, promotions, reminders.
• Sample messages: A few examples that reflect the actual tone and content of your texts.
• Opt-in process description: How users give permission to receive your messages.

Once your registration is submitted, it’s vetted by The Campaign Registry (TCR) and carrier partners. If approved, your messages are assigned a "trust score" that affects throughput and delivery reliability.

Skipping this process or submitting incomplete or inconsistent information can result in:

• Slower message delivery or daily sending limits.
• Full campaign blocks by carriers.
• Additional fees or surcharges.

Registering once isn't enough either. Carriers expect your live campaigns to match what you submitted so it’s important to keep things aligned and up to date.

4. Toll-Free and Short Code Requirements

If you're using toll-free numbers (e.g., numbers starting with 800, 888, etc.) or dedicated short codes (typically 5–6 digit numbers) to send SMS, different approval processes apply but compliance expectations remain just as strict.

These high-throughput routes are often used by businesses that send a large volume of messages or need faster delivery speeds. However, with greater capacity comes more scrutiny from carriers and providers.

We’ve worked with customers who assumed toll-free numbers didn’t require vetting. In reality, all toll-free messaging campaigns must go through a verification process before full delivery is allowed. The same goes for short codes, which require a pre-launch review by aggregators and carriers.

What’s required for toll-free and short code messaging:

• Proof of opt-in: Carriers need to see how you collect user consent often with screenshots or workflow documentation.
• Use case review: You’ll need to explain what types of messages you send and why a toll-free or short code is needed.
• Content checks: Sample messages are reviewed to ensure they meet CTIA standards and don't trigger filters.
• Ongoing compliance: If your messages deviate from what was approved, carriers can suspend or block delivery.

These routes offer benefits like higher throughput and brand recognition, but they demand tight compliance controls. If you don’t have systems in place to manage consent, message consistency, and opt-outs, you risk interruptions in service.

5. Opt-In and Opt-Out Consent Management

Consent is the foundation of every compliant SMS program. Whether you’re sending marketing campaigns, transactional updates, or service alerts, you need to prove that each recipient has agreed to receive those messages, and that they can easily opt out at any time.

Teams in compliance-heavy sectors like healthcare and finance often run into problems with consent management. Either they don’t capture opt-in in a verifiable way, or they don’t have systems in place to process opt-outs immediately. Both can result in carrier filtering or legal consequences.

What’s required for proper opt-in:

• Clear language that explains what the user is signing up for.
• Your brand name, so the recipient knows who will be texting them.
• Message purpose and frequency (e.g., “You’ll receive appointment reminders 1–2 times a month”).
• Disclosure of standard message/data rates.
• Timestamped and traceable records that include the opt-in source (web form, SMS keyword, etc.).

What’s required for opt-out:

• Support for common keywords like STOP, UNSUBSCRIBE, CANCEL.
• Instant processing of opt-out requests. No delays, no questions asked.
• Confirmation message that opt-out was successful and no further messages will be sent.
• Permanent suppression of the number across all campaigns unless re-consent is given.

Without proper consent tracking and opt-out enforcement, even a single message can put your business at risk. Carriers actively monitor for violations, and regulators treat consumer complaints about unwanted texts very seriously.

6. SHAFT Rules

Mobile carriers prohibit certain types of content from being sent over SMS, especially through business messaging channels. These restrictions are commonly referred to as SHAFT - an acronym for Sex, Hate, Alcohol, Firearms, and Tobacco.

If your messages reference any of these categories, even indirectly, you’re likely to face delivery issues or campaign rejections. In some cases, we’ve seen compliant businesses get flagged simply because of a keyword that was interpreted as SHAFT-adjacent so it’s important to be careful with language.

These rules apply across all routes 10DLC, toll-free, and short codes, and they’re enforced at the carrier level.

Content that may trigger SHAFT violations:

• Explicit references to adult content, sex acts, or pornography, even if legal.
• Language promoting hate speech, discriminatory views, or extremist content.
• Alcohol-related promotions (e.g., discounts on wine or beer) without proper age-gating.
• Mentions of firearms, weapon sales, or shooting accessories.
• Tobacco and vaping content, including CBD or cannabis, even in states where it’s legal.
  
  

If you operate in a legal SHAFT-related industry:

• You must age-gate users before any promotional messaging is sent.
• You may need enhanced review and approvals, depending on your use case and carrier.
• Transactional messages (like purchase confirmations) are still subject to filtering if the product itself falls under a restricted category.

Carriers take these filters seriously to protect consumers and reduce risk. If your business touches any of these verticals, be proactive, clarify your message purpose, use age verification where required, and avoid promotional language unless explicitly approved.

7. Sending Time Limits. Respect Quiet Hours

Even if your messages are fully compliant in content and consent, timing matters. Several states in the US have laws that restrict when you can send marketing texts often referred to as “quiet hours.”

If you’re sending promotional SMS at the wrong time, especially in states like Florida or Oklahoma, you could be in violation of state-level consumer protection laws. These rules typically apply to marketing and sales messages, not transactional ones like appointment reminders but the lines can blur, so it's safer to build timing safeguards into your process.

Common quiet hour restrictions:

• No marketing texts before 8 AM or after 9 PM local time in many states.
• Florida’s “Mini-TCPA” enforces these hours aggressively with real legal consequences for violations.
• Oklahoma and others have adopted similar legislation, and more states are likely to follow.

Best practices for staying compliant:

• Always check and respect the recipient’s local time zone, not your own.
• Apply state-level rules to national campaigns to avoid accidental violations.
• Separate marketing from transactional flows, so time rules don’t block urgent updates.
• Use automated scheduling tools that restrict delivery windows based on geography and message type.

Quiet hour violations aren’t just a legal risk, they also frustrate recipients and increase opt-outs. If you’re sending messages while your customers are asleep, you’re not only non-compliant, you’re also making a bad impression.

8. Recordkeeping and Privacy Laws

Every opt-in, opt-out, and message you send creates a trail, and you need to be able to show it. Under laws like the California Consumer Privacy Act (CCPA) and the Telephone Consumer Protection Act (TCPA), businesses are expected to maintain detailed records of how they collect and manage consent.

For regulated industries like healthcare, finance, or education, recordkeeping is especially important. You may also be subject to laws like HIPAA, which adds further requirements around how customer data is stored and accessed. For example, the General Data Protection Regulation (GDPR) applies to any business processing personal data of EU or EEA residents, including via SMS. 

We’ve seen that businesses often have solid consent practices but fall short on documentation. When complaints arise, it’s not enough to say “they opted in”, you need to show exactly when and how.

What records you should retain:

• Consent logs: Timestamp, source, and method of every opt-in and opt-out.
• Message logs: Full message content, delivery timestamps, and status (delivered, failed, etc.).
• Campaign metadata: Campaign ID, use case, approval status, and routing channel.
• Privacy acknowledgments: When applicable, records of terms acceptance and privacy policy agreements.

How long should you keep these records?

• 1–7 years, depending on your industry, state laws, and risk profile.
• For high-risk sectors (e.g., healthcare, finance), aim for the longer end of that range.
• Keep records separate for marketing vs. transactional consent to avoid mixing permissions.

Good recordkeeping doesn’t just protect you from fines, it’s your best defense in case of audits, complaints, or litigation. Without logs, it's your word against the recipient’s, and that rarely goes in your favor.

How Conversive Simplifies SMS Compliance Across All Layers

Staying compliant across federal law, industry standards, and carrier requirements isn’t simple. That’s why we’ve built Conversive to handle these layers for you, especially if you’re in a regulated space where getting it wrong has real consequences.

We work with organizations in industries like healthcare, education, finance, and legal services who rely on us to make sure their messages are not just delivered, but compliant by default.

Here’s what Conversive handles for you:

• Consent, opt-out, and audit trails natively logged inside Salesforce.
• 10DLC registration - We manage it end-to-end, including vetting, documentation, and updates.
• Toll-free and short code compliance - It includes use case validation and message approval flows.
• Quiet hour scheduling tools - Messages are automatically restricted based on recipient time zone and message type.
• SHAFT keyword detection and filters - You’re notified before a flagged message gets sent.
• Multi-channel compliance coverage - SMS, WhatsApp, email, and RCS all managed under a unified rules engine.

Conversive is built for businesses where customer trust, data privacy, and message reliability aren’t negotiable. Compliance is built into your workflow. No extra systems. No manual tracking.

Conversive helps meet every layer of SMS compliance without slowing down your outreach. Whether you're in healthcare, education, finance, or legal, we help you stay aligned with TCPA, CTIA, 10DLC, and privacy laws from day one.

Talk to Conversive Compliance Experts to know more.

Frequently Asked Questions

What is required for TCPA-compliant text messaging?

You need prior express written consent before sending marketing texts. That includes a clear explanation of what the user is signing up for and a working opt-out method like "Reply STOP to unsubscribe."

What is CTIA? How does it affect SMS marketing?

The Cellular Telecommunications Industry Association (CTIA) sets industry rules that carriers use to evaluate message quality. Their guidelines cover branding, opt-in flows, message content, and opt-out handling.

Do I need to register for 10DLC to send texts?

Yes. All A2P (application-to-person) messages sent from 10-digit numbers in the US must be registered through The Campaign Registry (TCR). Without it, your messages may be blocked or throttled.

What are opt-in and opt-out requirements for SMS?

You must log opt-ins with a timestamp, source, and message purpose. Opt-outs must be processed instantly, using keywords like STOP, UNSUBSCRIBE, or CANCEL.

What content is banned under SHAFT rules?

Carriers prohibit content related to Sex, Hate, Alcohol, Firearms, or Tobacco unless special permissions and safeguards (like age-gating) are in place. Even legal businesses must go through enhanced review.

Can I send marketing texts at any time of day?

No. Many states, such as Florida and Oklahoma, restrict marketing SMS to between 8 AM and 9 PM local time. It's your responsibility to ensure messages respect these quiet hours.

How long should I keep SMS consent records?

Best practice is to retain records for 1 to 7 years, depending on your industry and risk profile. This includes opt-in timestamps, delivery logs, and opt-out events.