There are two layers to sending business SMS in the US, and teams routinely confuse them. One is the carrier layer — registering your numbers so messages get delivered. The other is the legal layer — the federal law that decides whether you’re allowed to send at all. Get the first wrong and your messages get filtered. Get the second wrong and you get sued.
This is about the second layer: the Telephone Consumer Protection Act (TCPA).
The carrier side — 10DLC registration, brand and campaign vetting — is covered in What Is A2P 10DLC?. The two work together; neither replaces the other.
What the TCPA actually is
Passed in 1991 to rein in unwanted telemarketing, the TCPA predates SMS entirely — but the FCC treats text messages as “calls” under the law. That means every marketing or informational text you send to a US number falls under a federal statute with no cap on aggregate damages. A 100,000-message campaign sent without proper consent isn’t a $500 problem; it’s a potential nine-figure class action. TCPA lawsuits rose nearly 95% year-over-year through mid-2025.
The two kinds of consent
Not all messages need the same permission. The TCPA recognizes two tiers:
- Prior Express Written Consent (PEWC) — required for marketing and promotional messages. It must be an affirmative opt-in (no pre-checked boxes), disclose that the recipient may get automated messages, identify the sender, state that consent isn’t a condition of purchase, and be documented.
- Prior Express Consent (PEC) — the lower bar for transactional and informational messages like order confirmations, shipping updates, and appointment reminders. The number has to come from a transaction-related context.
The dividing line is strict: add a promo code to a shipping notice and it becomes marketing, requiring full written consent. Keep the two workflows separate.
The 2025–2026 FCC changes you can’t ignore
Two recent rule changes reshaped what compliance means:
- Easy revocation (April 2025). Consumers can now revoke consent through any reasonable method — text, email, phone, web form, chatbot, or in person — not just by replying STOP. You must honor it within 10 business days, and real-time is the safer standard.
- One-to-one consent (January 2026). Consent can no longer be transferred between brands or resold. Each sender must obtain its own consent from each consumer, closing the lead-generator loophole that powered many affiliate and multi-brand programs.
If you buy or share lead lists, this is the rule that bites.
The operational rules
Beyond consent, compliant US SMS means:
- Quiet hours. Marketing messages may only go out 8am–9pm in the recipient’s local time zone. Transactional messages are exempt.
- STOP and HELP. Every message must offer a way out. Replying STOP (or “quit,” “cancel,” “unsubscribe,” “end,” and similar) must unsubscribe instantly; HELP must return support info. Send exactly one non-promotional confirmation after an opt-out.
- Sender identification. Every message — marketing or transactional — must clearly say who it’s from.
- DNC scrubbing. Scrub marketing lists against the National Do Not Call Registry, and check the Reassigned Numbers Database for consent older than 30 days so you don’t text someone who inherited a recycled number.
- SHAFT content limits. The CTIA blocks certain content regardless of consent — Sex, Hate, Alcohol, Firearms, Tobacco (and CBD) — with age-gating where applicable. Avoid public URL shorteners; they trip carrier spam filters.
The penalty math
This is why the rules are worth the effort:
| Violation | Penalty |
|---|---|
| Standard TCPA violation | $500 per message |
| Willful or knowing violation | $1,500 per message |
| Do Not Call Registry violation | Up to $43,792 per text |
There’s no aggregate cap, and damages are assessed per message — which is what makes TCPA class actions so dangerous at scale.
Don’t forget the states
Federal law is the floor, not the ceiling. States layer their own rules on top, and you must apply the strictest standard for each recipient’s residence:
- Florida — 15-day safe harbor after opt-out; max 3 messages per recipient per 24 hours.
- Virginia (Jan 2026) — 10-year retention of opt-out records.
- Connecticut — written consent required; up to $20,000 per violation.
- Texas (Sept 2025) — expanded scope and a new private right of action.
A quick note on AI: the FCC has confirmed that AI-generated and AI-assisted messages are treated exactly like conventional automated sends — same consent, same disclosure.
The compliance checklist
| Requirement | Marketing SMS | Transactional SMS |
|---|---|---|
| Prior express written consent | Required | Not required |
| Sender identification | Required | Required |
| Opt-out mechanism | Required | Recommended |
| Quiet hours (8am–9pm) | Required | Required |
| 10DLC registration | Required | Required |
| DNC scrubbing | Required | Required |
The takeaway
The TCPA rewards discipline and punishes shortcuts mercilessly. Get explicit, documented consent; keep marketing and transactional streams separate; honor opt-outs through any channel, fast; respect quiet hours and the DNC registry; and apply the strictest state rule that touches each recipient. Treat consent as infrastructure rather than paperwork, and SMS stays what it should be — a high-trust retention channel, not a legal liability.
This article is informational and not legal advice. Regulations change often; consult qualified counsel for your specific situation.