The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 that regulates how businesses can contact consumers by phone, fax, and text message. For SMS marketing, the TCPA establishes strict requirements around consent, opt-out handling, sender identification, and timing — and the penalties for non-compliance are severe enough to bankrupt a business.
If you use SMS text messaging lists or any form of text message marketing to reach customers and prospects, understanding TCPA compliance is not optional. With statutory penalties of $500 to $1,500 per unauthorized text and class-action settlements regularly exceeding $100 million, even a single campaign sent to the wrong list can create catastrophic liability.
This guide breaks down exactly what the TCPA requires, how to comply, and how to build an SMS marketing program that generates leads without generating lawsuits.
What the TCPA Covers
The TCPA applies to all commercial text messages sent to mobile phone numbers in the United States using any form of automated dialing or messaging system. This includes promotional SMS campaigns, marketing text blasts, automated appointment reminders with promotional content, and any text sent through an SMS marketing platform or API.
The law draws a distinction between two types of messages, each with its own consent standard.
Informational or transactional messages — such as appointment confirmations, shipping notifications, and account alerts — require express consent, meaning the consumer voluntarily provided their phone number in connection with the type of message being sent. This is the lower consent bar.
Marketing or promotional messages — including sales offers, discount codes, event promotions, and any text designed to advertise or sell a product or service — require prior express written consent. This is the higher bar and the one that applies to nearly all SMS marketing campaigns.
The Five Pillars of TCPA Compliance
1. Prior Express Written Consent
This is the cornerstone of TCPA compliance for SMS marketing. Before sending any promotional text message, you must have documented, written consent from the recipient that meets all of the following criteria:
The consent must clearly authorize your specific business to send marketing text messages. The recipient must provide their signature — which can be an electronic signature such as checking an unchecked box on a web form, clicking a submit button, or texting a keyword to a short code. The consent cannot be a condition of purchasing a product or service. Pre-checked consent boxes are not valid.
A compliant opt-in disclosure must include your business name, a statement that the consumer agrees to receive marketing or promotional text messages, the expected message frequency (for example, “up to 4 messages per month”), a note that message and data rates may apply, and instructions on how to opt out (for example, “Reply STOP to unsubscribe”) and get help (“Reply HELP for support”).
What does NOT constitute valid consent: Having a customer’s phone number from a previous purchase. Receiving a business card with a phone number on it. Importing contacts from a CRM who never opted in to SMS. Purchasing a list from a vendor who cannot provide proof of TCPA-compliant consent for your specific business.
2. Clear Opt-Out Mechanism
Every marketing text message must provide — or make readily available — a way for the recipient to unsubscribe. The standard method is replying “STOP,” which must immediately cease all future marketing messages to that number.
When a recipient opts out, you must honor the request promptly. Under federal TCPA rules, opt-outs must be processed within a reasonable time (interpreted as immediately or within minutes for automated systems). Several states impose stricter timelines — Virginia, for example, requires businesses to honor text opt-outs for a full 10 years.
You must also maintain an internal Do Not Contact list containing every number that has opted out. This list must be retained for a minimum of five years and checked against before every campaign send.
3. Sender Identification
Each marketing text message must clearly identify who is sending it. At minimum, include your business name in the message body. Consumers must be able to identify the source of the message without guessing or clicking a link.
4. Quiet Hours
Marketing text messages may only be sent between 8:00 AM and 9:00 PM in the recipient’s local time zone. Sending outside this window is a per-message violation.
This means that if your list includes recipients across multiple time zones, your SMS platform must be configured to respect each recipient’s local time. Sending a campaign at 9:30 AM Eastern time also sends it at 6:30 AM Pacific time — which is a TCPA violation for every Pacific time zone recipient.
5. Do Not Call Registry Compliance
You cannot send marketing text messages to numbers listed on the National Do Not Call (DNC) Registry unless the number’s owner has given you prior express written consent.
DNC compliance requires regularly scrubbing your SMS lists against the National DNC Registry. The registry data must be refreshed at least every 31 days. You must also maintain and enforce your own internal DNC list.
TCPA Penalties: What Is at Stake
The financial exposure from TCPA violations is among the most severe in U.S. marketing law.
Statutory damages are $500 per unauthorized text message for negligent violations. Courts can increase this to $1,500 per message (treble damages) for willful or knowing violations. There is no cap on total damages.
To put this in perspective: A single SMS campaign sent to 10,000 recipients without proper consent could generate liability of $5 million to $15 million. In 2025 alone, TCPA class-action settlements exceeded $150 million, with many targeting e-commerce and direct marketing brands for SMS violations.
Who gets sued: The brand, the marketing agency, and the SMS platform vendor can all be named as defendants. Hiring a third-party vendor to manage your SMS campaigns does not transfer your TCPA liability. The brand that benefits from the campaign is ultimately responsible for ensuring compliance.
State Mini-TCPA Laws: Additional Requirements
Beyond the federal TCPA, at least 15 states have enacted their own SMS marketing regulations that may impose stricter requirements. Notable examples include:
Florida requires prior express written consent for all commercial text messages and broadens the definition of an autodialer beyond the federal standard. Under Florida’s Telephone Solicitation Act (FTSA), violations carry penalties of $500 per text ($1,500 for willful violations) plus attorney’s fees, and the law grants a private right of action allowing Florida residents to sue directly.
Connecticut has one of the most restrictive mini-TCPA statutes in the country. It bans all marketing outreach — including SMS — without express written consent and narrows permissible sending hours to 9:00 AM to 8:00 PM local time.
Virginia requires businesses to honor SMS opt-out requests for 10 years, significantly longer than the federal standard.
Oklahoma and Washington also impose additional consent and disclosure requirements beyond the federal baseline.
If your SMS marketing lists include recipients in multiple states, your compliance program must account for the strictest applicable state law for each recipient — not just the federal minimum.
TCPA vs. CAN-SPAM: Key Differences
Marketers who are familiar with email marketing compliance under CAN-SPAM are sometimes surprised by how much stricter the TCPA is. Understanding the differences is critical.
Consent model. CAN-SPAM operates on an opt-out basis — you can send commercial email without prior consent as long as you include proper identification, disclosures, and an unsubscribe mechanism. The TCPA requires prior express written consent before you send the first text. This is a fundamental difference.
Penalties. CAN-SPAM penalties are up to $53,088 per email but are enforced by the FTC and state attorneys general — private lawsuits are not permitted. TCPA penalties are $500 to $1,500 per text and can be brought by individual consumers or through class-action lawsuits, making private litigation the primary enforcement mechanism.
Scope. CAN-SPAM applies to email marketing. The TCPA applies to phone calls, text messages, and faxes — including telemarketing and SMS marketing.
For a detailed guide to email marketing compliance, see our post on CAN-SPAM compliance for purchased email lists.
How to Build a TCPA-Compliant SMS Marketing Program
Start with Compliant Data
The foundation of TCPA compliance is the data you use. If you are purchasing or renting SMS marketing lists, your provider must be able to demonstrate that every mobile number on the list was collected with proper consent documentation. At ProMarketing Leads, we build SMS lists using compliant opt-in procedures and scrub every list against the National DNC Registry before delivery.
Implement Proper Opt-In Flows
Whether you are collecting phone numbers through your website, in-store, at events, or through keyword texting, every opt-in touchpoint must include the required disclosure language and capture documented consent. Save consent records — including the date, time, method, and exact language the consumer agreed to — for at least five years.
Configure Time Zone-Aware Sending
Use an SMS platform that automatically adjusts send times based on each recipient’s local time zone. This is the only reliable way to avoid quiet-hours violations when sending to a national list.
Automate Opt-Out Processing
Configure your SMS system to automatically recognize STOP, UNSUBSCRIBE, CANCEL, END, and QUIT keywords and immediately suppress those numbers from future sends. Send a confirmation message acknowledging the opt-out.
Scrub Against DNC Regularly
Run your SMS lists against the National DNC Registry before every campaign. Refresh your DNC data at least every 31 days. Also maintain and enforce your internal suppression list of numbers that have opted out directly.
Document Everything
Maintain records of every consent collected, every opt-out processed, every DNC scrub performed, and every campaign sent. In the event of a TCPA complaint or lawsuit, your documentation is your primary defense.
TCPA Compliance Checklist
Use this checklist before every SMS campaign:
- Prior express written consent obtained and documented for every recipient
- Consent records stored and accessible for at least five years
- SMS list scrubbed against National DNC Registry within the last 31 days
- Internal opt-out suppression list applied
- Messages scheduled within 8:00 AM to 9:00 PM recipient local time
- Business name included in message body
- Opt-out instructions included or readily accessible (Reply STOP to unsubscribe)
- State-specific requirements reviewed for all recipient states
- Campaign content matches the scope of consent obtained
Frequently Asked Questions
What is the TCPA?
The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 that regulates how businesses can contact consumers via phone calls, faxes, and text messages. For SMS marketing, it requires prior express written consent before sending promotional texts, a clear opt-out mechanism, sender identification, and compliance with quiet hours and the National Do Not Call Registry.
How much are TCPA fines per text message?
TCPA violations carry statutory penalties of $500 per unauthorized text message. Willful violations can result in treble damages of $1,500 per text. There is no cap on total liability, meaning a single campaign to 10,000 unauthorized recipients could create $5 million to $15 million in exposure.
Do I need consent before sending marketing texts?
Yes. The TCPA requires prior express written consent before sending any promotional or marketing text message. This means the recipient must have explicitly agreed — in writing or through a documented electronic signature — to receive marketing texts from your specific business.
Can I use purchased SMS lists for marketing?
Only if the list provider can demonstrate that every number was collected with TCPA-compliant prior express written consent. Purchased lists that do not come with verifiable consent documentation should not be used for SMS marketing, as sending to them creates per-message TCPA liability.
What happens if someone replies STOP?
You must immediately cease all marketing text messages to that number. The opt-out must be honored promptly, and the number must be added to your internal suppression list. Failure to honor opt-out requests is one of the most common triggers for TCPA class-action lawsuits.
What are quiet hours for SMS marketing?
Under the TCPA, marketing text messages may only be sent between 8:00 AM and 9:00 PM in the recipient’s local time zone. Some states impose narrower windows — Connecticut, for example, restricts marketing communications to 9:00 AM through 8:00 PM.
Is the TCPA the same as CAN-SPAM?
No. CAN-SPAM governs email marketing and allows commercial email without prior consent (opt-out model). The TCPA governs phone calls and text messages and requires prior express written consent before sending marketing texts (opt-in model). The TCPA imposes stricter consent requirements and allows private lawsuits, making it a significantly higher-risk regulatory framework.
What is the difference between express consent and express written consent?
Express consent means the consumer voluntarily provided their phone number in connection with a transaction or inquiry. Express written consent is a higher standard that requires a signed, documented agreement specifically authorizing marketing messages. SMS marketing requires express written consent.
Ready to Launch a Compliant SMS Campaign?
Compliance starts with your data. At ProMarketing Leads, every SMS marketing list we build is sourced using TCPA-compliant opt-in procedures, scrubbed against the National DNC Registry, and delivered with verified mobile numbers — so you can launch text campaigns with confidence.
Contact us today for a free consultation and custom quote. Call (866) 397-2772 to speak with a list expert.