SMS messaging is highly regulated to protect consumers and maintain network integrity. This article covers essential compliance rules enforced by wireless carriers and industry bodies like the CTIA. Use this guide to understand your obligations - including opt-in requirements, disallowed content, and carrier limits - to ensure your messaging campaigns deliver successfully.
Note: Customers must be aware of and comply at all times with our Terms of Service. The contents of this document do not constitute legal advice, are not intended to be a substitute for legal advice and should not be relied upon as such. You should seek legal advice or other professional advice in relation to any particular legal requirements relating to this subject matter.
Spam policy for SMS marketing
Industry platforms maintain a zero-tolerance policy against spam to protect subscribers and businesses. You cannot simply upload a purchased list of phone numbers to send campaigns. The Telephone Consumer Protection Act (TCPA) requires businesses to obtain prior express written consent before sending autodialed marketing text messages. Sending messages without proper consent can result in fines of up to $1,500 per violation.
Types of messaging, and consent required
You must get consent to message your customers. The type of consent depends on the nature of the message:
- Conversational (Requires Implied Consent): A back-and-forth conversation initiated by the consumer. If a consumer texts a business first and the business responds with relevant information, no additional verbal or written permission is expected.
- Informational (Requires Express Consent): Messages like appointment reminders, welcome texts, or alerts. A consumer needs to agree to receive texts for a specific informational purpose when they give the business their mobile number (this can be done over text, on a form, or verbally).
- Promotional (Requires Express Written Consent): Messages containing sales, marketing promotions, or a call-to-action to buy something. Consumers must sign a form, check a box online, or otherwise provide written consent before receiving promotional texts.
CTIA audit and guiding principles
The CTIA is the body that represents the U.S. wireless communications industry. CTIA audits are the method wireless carriers use to monitor the texting industry for compliance. A failed audit typically means a campaign advertisement is missing required disclosures, which results in the associated keyword and subscriber list being automatically deactivated until the issue is resolved.
To remain compliant, you must follow the CTIA's four Guiding Principles:
- Display clear calls-to-action: Consumers must know exactly what they are signing up for.
- Provide applicable consent mechanisms: Give consumers sufficient control over the messages they receive.
- Send opt-in confirmation messages: A consumer's opt-in must be confirmed in the first message sent, and recurring programs must include clear opt-out instructions.
- Acknowledge and honor opt-out requests: You must provide a way for customers to stop receiving messages (e.g., replying "STOP") and act on those requests immediately.
Disallowed Content
Regulators and carriers actively block messages to protect consumers from spam and illicit activity. Assuming you have express consent, blocks generally occur due to the following disallowed content and red flags:
- SHAFT Content: Sex, Hate speech, Alcohol, Firearms, Tobacco (including vape), and any illicit substances (including Cannabis/CBD and Schedule 1 & 2 drugs). Note: Exceptions apply for age-gated alcohol promotions on toll-free numbers, but hate speech and pornography result in permanent bans.
- High-Risk Financial Services: Payday loans, short-term high-interest loans, auto/student loans (must be 1st party), cryptocurrency, and stock alerts.
- Debt & "Get Rich Quick" Schemes: Debt collection, debt forgiveness/consolidation, credit repair programs, deceptive work-from-home programs, and multi-level marketing.
- Public Link Shorteners: Using free, public link shorteners (like bit.ly) is banned by major carriers like AT&T because they obscure deceptive URLs and are flagged as phishing. Always use built-in URL shorteners or a branded domain.
- Other Red Flags: Redirecting replies to a different phone number, phishing, profanity, gambling, job postings (unless the sender is the one doing the hiring), abnormally high unsubscribe rates, or receiving direct spam reports from users.
Is SMS HIPAA compliant?
SMS is not strictly HIPAA compliant because text messages pass through various wireless carriers and data is stored on recipients' personal handsets rather than solely on secure servers. However, healthcare providers can still use SMS safely by ensuring they never transmit sensitive or private medical information. Typical, permitted use cases include appointment reminders, interoffice staff communications, and general announcements regarding patient services.
Carrier limits for 10DLC messaging
10DLC (10-Digit Long Code) messaging has specific throughput limits based on the trust rating you receive from the Campaign Registry:
- AT&T limits your sending by TPM (Texts Per Minute).
-
T-Mobile applies a daily limit.
Messages that exceed your TPM or daily limit are discarded and not retried, so it is vital to know your sending rate and send in batches that do not exceed your thresholds.
Are there specific state laws to be aware of?
Yes. For example, on September 1, 2025, a Texas law known as Senate Bill 140 (SB 140) or the "Mini-TCPA" goes into effect. It expands telemarketing regulations to cover text messages (SMS, MMS, and RCS). It applies to all businesses sending texts to or from Texas, even if your business is not based there.