Skip to content
GoFlux Marketing

Compliance

SMS compliance essentials

← Back to resources

Comprehensive SMS Compliance: Statutory Obligations & Carrier Mandates

The legal landscape of Application-to-Person (A2P) messaging is governed by a hierarchy of federal statutes and industry standards. Failure to adhere to these protocols exposes an entity to statutory damages under the Telephone Consumer Protection Act (TCPA), which provides for private rights of action ranging from $500 to $1,500 per unauthorized message.

1. The Doctrine of Express Consent

The cornerstone of SMS legality is the establishment of "Prior Express Written Consent" (PEWC). As defined in 47 C.F.R. § 64.1200, consent must be a clear and conspicuous disclosure that allows the consumer to receive marketing messages delivered via an automated system.

Non-Transferability: Consent is granted to a specific legal entity. Per the FCC Second Report and Order (FCC 23-107), lead generators and aggregators are prohibited from "sharing" consent across multiple "marketing partners." Consent must be obtained on a "one-to-one" basis.

The "Double Opt-In" Standard: While not strictly a federal law, the CTIA Messaging Principles and Best Practices dictate that a confirmation message must be sent immediately upon sign-up, confirming the subscriber’s intent.

2. Mandatory Disclosure Framework

At the point of capture (the "Call to Action" or CTA), the following disclosures must be displayed in a font size and color that is not easily overlooked, ensuring they meet the "clear and conspicuous" standard:

Program Description: A specific name or description of the message campaign.

Message Frequency: A disclosure such as "Message frequency varies" or "Approx. 4 msgs/month."

Carrier Charges: The verbatim phrase: "Message and data rates may apply."

Privacy Policy & Terms: Direct, hyperlinked access to the full Terms of Service and Privacy Policy.

Opt-Out Instructions: Clear instructions on how to terminate the subscription (e.g., "Text STOP to cancel").

3. 10DLC (10-Digit Long Code) & Brand Registration

For A2P traffic, carriers now require registration via The Campaign Registry (TCR). This process involves:

Brand Verification: Validation of the EIN and legal business entity.

Campaign Vetting: A manual review of the use case, message templates, and opt-in workflow.

Vetting Scores: Higher vetting scores, often facilitated by third-party aggregators, permit higher throughput (TPS) and daily volume limits.

4. Revocation of Consent (The "STOP" Command)

The right to revoke consent is absolute. Under the TCPA and affirmed by the FCC's 2015 Omnibus Declaratory Ruling, consumers may revoke consent through "any reasonable means."

"A consumer has a right to revoke consent, using any reasonable method including orally or in writing... callers may not control the way in which consumers choose to revoke their consent." — FCC 15-72

Systems must be programmatically configured to recognize and execute "STOP," "UNSUBSCRIBE," "CANCEL," and "QUIT" keywords with zero latency. A single "confirmation of opt-out" message is permitted but must contain no marketing content.

5. Record Keeping and Burden of Proof

In the event of a demand letter or litigation, the burden of proof regarding consent lies entirely with the sender. Essential documentation includes:

Timestamped Metadata: The IP address, date, and time of the opt-in.

Visual Evidence: A screenshot or session recording (e.g., via TrustedForm or Jornaya) showing the exact UI the user encountered at the time of consent.

Campaign Metadata: A record of the specific Terms and Conditions version active at the time of the user's signature.

Authority Sources for Further Review

Federal Communications Commission (FCC): Consumer Support on Robotexts

Federal Trade Commission (FTC): The Telemarketing Sales Rule (TSR)

U.S. Code: 47 U.S.C. § 227 (The TCPA)