A single non-compliant SMS campaign to 5,000 contacts carries a theoretical fine exposure of $2.5 million to $7.5 million under TCPA. That’s not an edge case it’s the math at the base fine rate of $500 to $1,500 per message with no statutory cap on total liability. And because the TCPA grants individuals a private right of action, your business doesn’t need to attract FCC attention to get sued. Any recipient of a non-compliant text can file.
Before we get into what compliance actually requires, there’s one foundational correction most SMS marketers need: CAN-SPAM doesn’t govern text messages. It governs email. The law that applies to SMS marketing is the Telephone Consumer Protection Act a significantly stricter framework that requires opt-in consent before you send, not just a working unsubscribe link after. Understanding that distinction is the starting point for building a compliant SMS program.
CAN-SPAM vs TCPA: Which Law Governs Your SMS?
CAN-SPAM (the Controlling the Assault of Non-Solicited Pornography And Marketing Act) was enacted in 2003 to regulate commercial email. It sets rules for email marketing: a working unsubscribe mechanism, honest subject lines, physical mailing address in the footer and identification as a commercial message. Under CAN-SPAM, you can send commercial email without prior consent you just have to give recipients a way to opt out.
TCPA works the opposite way. Enacted in 1991 and extended to SMS by the FCC, TCPA requires prior express written consent before you send any automated marketing text. The consent must be documented, affirmative, and specific to your brand. There’s no send-first-opt-out-later model for marketing SMS. If you text without documented consent, you’re already in violation.
| CAN-SPAM | TCPA | |
|---|---|---|
| Covers | Email marketing | Phone calls, SMS, fax |
| Consent model | Opt-out (send first, offer unsubscribe) | Opt-in (get consent before sending) |
| Prior consent required? | No, for email | Yes, written, documented |
| Enforced by | FTC + state AGs | FCC + private litigants |
| Private lawsuits? | No, FTC/AG enforcement only | Yes, any recipient can sue |
| Per-violation fine | Up to $53,088 per email (FTC) | $500–$1,500 per text |
| Class actions common? | Less common | Very common growing rapidly |
| Applies to SMS? | No | Yes |
See how much revenue SMS could add to your HubSpot stack
Five inputs. Industry-backed benchmarks. Get your projected annual SMS revenue in under 30 seconds.
Calculate My SMS ROI
What TCPA Actually Requires for SMS Marketing
Prior Express Written Consent
Prior express written consent (PEWC) is the TCPA consent standard for marketing SMS. It requires a written record electronic is fine, including a checkbox on a web form in which the consumer specifically agrees to receive automated marketing text messages from your business. The consent must:
- Be in writing (electronic forms, checkbox, digital signature all qualify)
- Identify your company by name consent to ‘receive communications from partners’ doesn’t qualify
- Be specific to SMS marketing email consent doesn’t transfer
- Be obtained before the first marketing text is sent no exceptions
- Be documented and retrievable you need proof if challenged
- Not be pre-checked the consumer must take an affirmative action
Transactional messages order confirmations, appointment reminders, account alerts triggered by a consumer’s own action operate under a slightly lower standard. A consumer providing their phone number in the context of a transaction may create implied consent for transactional texts related to that transaction. Implied consent doesn’t extend to marketing or promotional messages.
The January 2026 One-to-One Consent Rule
Effective January 2026, the FCC closed what regulators called the ‘lead-generator loophole.’ Previously, a single checkbox on a comparison shopping site or lead aggregator could generate consent for texts from dozens of brands simultaneously. That’s now prohibited. Each brand must obtain its own direct consent from each consumer. Consent is not transferable, not shareable, and not purchasable.
For teams texting leads from HubSpot, this means any contact whose phone number came from a list purchase, lead aggregator, partner data share, or co-registration campaign is now presumed to lack valid TCPA consent for your specific brand. Texting those contacts without re-consenting them creates liability under the updated rule.
The April 2025 ‘Any Reasonable Method’ Opt-Out Rule
Since April 2025, the FCC requires businesses to honor opt-out requests made through any reasonable communication method not just STOP keyword replies. A contact who emails your team asking to stop receiving texts, leaves a voicemail to that effect, or sends a written request must be removed from your SMS sends within 10 business days. Real-time processing is the recommended standard.
This change requires coordination between your SMS platform, your email inbox, and whoever handles inbound calls. Opt-out requests that arrive through non-SMS channels need to flow into your HubSpot contact record and flag the contact as opted out of SMS before your next workflow fires.
Quiet Hours
TCPA prohibits automated marketing texts before 8 AM or after 9 PM in the recipient’s local time zone not the sender’s. A business in New York texting a contact in Los Angeles at 7:50 PM EST is sending at 4:50 PM local time, which is fine. The same business texting at 9:10 PM EST reaches that contact at 6:10 PM local fine. But texting at 9:10 PM PST because the rep forgot to check the contact’s time zone means the message arrives at 12:10 AM EST for contacts on the East Coast a TCPA violation.
A well-configured HubSpot workflow with a Message IQ SMS action uses the contact’s time zone property to enforce sending window compliance automatically.
What TCPA Violations Actually Cost
The fine structure is straightforward but the math gets alarming fast when you’re running any kind of volume.
| Violation Type | Fine Per Message | How It’s Triggered |
|---|---|---|
| Standard violation | $500 | Sending without proper consent, missed opt-out |
| Willful or knowing violation | $1,500 | Court determines intent applies to repeat violations |
| Class action (1,000 messages) | $500K–$1.5M | A single non-compliant campaign |
| Class action (10,000 messages) | $5M–$15M | Mid-size campaign to unvetted list |
| State law stacking (FL, WA, OK) | Additional per-message penalties | Some states have stricter statutes |
There is no minimum threshold. One unauthorized text to one person creates a cause of action. The private right of action is the mechanism that makes TCPA so potent it doesn’t require government enforcement to result in a lawsuit. Plaintiff attorneys work on contingency, meaning they take TCPA cases without upfront cost to the plaintiff. The economics favor aggressive litigation.
State SMS Laws: When Federal TCPA Isn’t the Strictest Standard
TCPA sets the federal floor. Several states have enacted SMS-related statutes that impose additional requirements or stricter standards. Where state law is more restrictive than federal law, the stricter standard applies to contacts in that state.
| State | Key Provision | Practical Impact |
|---|---|---|
| Florida | Florida Telephone Solicitation Act (FTSA) requires prior express written consent for automated calls AND texts, including those using ‘auto-dialer technology’ | Broader definition of automated texts than TCPA; higher class action activity |
| Washington | Commercial Electronic Mail Act (CEMA) additional requirements for commercial messages sent to Washington residents | Applies to SMS in some interpretations; consult counsel |
| Oklahoma | Oklahoma Telephone Solicitation Act similar to FTSA, applies to commercial texts | Private right of action; per-message damages |
| California | California Consumer Privacy Act (CCPA) data privacy requirements including phone numbers as personal data | Consent and data deletion requests apply to SMS contact data |
| Texas, Maryland | State telemarketing laws with SMS provisions | Varies review with legal counsel for contacts in these states |
Florida is the highest-risk state for SMS marketers. The FTSA’s definition of ‘auto-dialer’ is broader than TCPA’s, and Florida-based plaintiffs have driven a disproportionate share of SMS class action filings in recent years. If your contact list includes Florida residents and most B2B lists do treat Florida standards as your baseline, not the federal floor.
The B2B TCPA Exemption Myth
Many B2B sales and marketing teams believe TCPA doesn’t apply to business-to-business texting. This is partially true and frequently misapplied in ways that create liability.
TCPA’s consent requirements apply to calls and texts to mobile phones. The statute doesn’t distinguish between personal and business use it distinguishes between the type of phone. If a business contact’s phone number is a mobile number (which nearly all are in 2026), TCPA consent requirements apply regardless of whether the communication is for business purposes.
The narrow B2B carve-out exists for landline business numbers and in some interpretations for communications that are genuinely not ‘marketing’ a rep manually dialing a known business contact to follow up on an existing relationship, without automation. The moment you use an automated SMS platform to send a message to a mobile number, TCPA consent requirements apply regardless of the business context.
For HubSpot teams using Message IQ: if you’re texting contacts from a workflow triggered by a deal stage or form submission, you’re using an automated system. You need documented consent from those contacts before the text fires.
Turn HubSpot Into A Real-Time SMS Engine with Message IQ
Two-Way Conversations
Shared Team Inbox
Automation Triggers
Advanced Reporting
Compliance Tools
- 98% SMS read within 3 min
- 78% Buy from first responder
- 21× More likely to qualify
*MessageIQ is an Integrate IQ product built natively for HubSpot by the same team.
How to Build a TCPA-Compliant SMS Program
Step 1: Fix Your Opt-In Forms
Every form that captures a phone number needs an unchecked SMS consent checkbox with compliant language before any automated marketing texts go out to that contact.
Compliant opt-in language example: By checking this box, I agree to receive automated marketing text messages from [Company Name] at the phone number provided. Message and data rates may apply. Message frequency varies. Reply STOP to unsubscribe. Reply HELP for help. Consent is not a condition of purchase. View our Privacy Policy.
Key elements that must appear: your company name specifically named (not ‘us’ or ‘our partners’), ‘automated marketing text messages’ (not just ‘communications’), the opt-out method, the HELP keyword, and the ‘not a condition of purchase’ disclaimer. Missing any of these weakens your consent documentation.
Step 2: Audit Your Existing Contact List for Consent Source
Before running any SMS campaign to an existing list, document how each contact’s phone number was collected and whether TCPA consent was obtained at that time. Contacts who:
- Submitted a form with a compliant SMS consent checkbox properly consented, safe to text
- Provided a phone number during a transaction without SMS consent language implied consent for transactional texts only, not marketing
- Came from a purchased list, lead aggregator, or partner data share no valid TCPA consent under January 2026 rules, do not text without re-consenting
- Previously texted STOP but were never removed from workflows non-compliant, fix immediately
Step 3: Complete 10DLC Registration
Any automated SMS from a 10-digit business number in the US requires A2P 10DLC registration. Unregistered numbers get carrier-blocked regardless of consent documentation. TCPA compliance and 10DLC registration are both required they operate in parallel, not as substitutes for each other.
Step 4: Configure Opt-Out Handling Across All Channels
Under the April 2025 FCC rule, opt-out requests arriving through email, phone calls, or informal messages must be processed within 10 business days. This requires:
- Message IQ handling STOP keyword replies automatically and logging to HubSpot contact records
- A process for forwarding email-based opt-out requests to whoever manages the HubSpot SMS opt-out property
- HubSpot workflow stop conditions set to ‘Contact has opted out of SMS’ to prevent re-enrollment
- Periodic list audits to catch contacts who opted out through channels that weren’t automatically logged
Step 5: Enforce Quiet Hours in Your Workflow Configuration
Set HubSpot workflow sending windows to respect 8 AM to 9 PM in the contact’s local time zone. Message IQ’s HubSpot integration allows scheduling SMS actions within workflow time windows. Use the contact’s ‘Time zone’ property to scope delivery don’t default to the sender’s time zone.
CAN-SPAM’s Role in a Multi-Channel Compliance Program
While CAN-SPAM doesn’t govern SMS, it does govern the email sequences that run alongside your SMS workflows in HubSpot. A compliant multi-channel program needs both frameworks operating correctly CAN-SPAM for the email touches, TCPA for the SMS touches.
CAN-SPAM’s core requirements for email:
- Accurate ‘From’ name and reply-to address no deceptive sender identification
- Non-deceptive subject line no misleading preview text
- Physical mailing address in the email footer
- Working unsubscribe mechanism must function for at least 30 days after send
- Opt-out requests processed within 10 business days
- No charging a fee or requiring extra steps to unsubscribe
Unlike TCPA, CAN-SPAM allows marketing emails without prior consent but an email unsubscribe doesn’t automatically opt the contact out of SMS. Your HubSpot workflow configuration needs to handle communication preferences separately: an email opt-out doesn’t remove a contact from SMS sequences unless you explicitly build that logic into your workflows.
Compliance Checklist for SMS Marketing Teams
| Checklist Item | Required | Notes |
|---|---|---|
| Prior express written consent documented for each SMS contact | Required | TCPA before first marketing text |
| Consent is first-party (not purchased or shared) | Required | Jan 2026 FCC one-to-one consent rule |
| Opt-in form includes company name, message type, STOP/HELP, rates disclosure | Required | All elements required for PEWC |
| 10DLC brand and campaign registration complete | Required | Required before any automated A2P sends |
| STOP, UNSUBSCRIBE, CANCEL, END, QUIT all honored automatically | Required | TCPA + CTIA requirement |
| Opt-outs from email/phone/informal channels processed within 10 business days | Required | April 2025 FCC ‘any reasonable method’ rule |
| Opt-out logged to HubSpot contact record and stop condition active in workflows | Required | Prevents accidental re-enrollment |
| Messages sent only 8 AM – 9 PM recipient local time | Required | TCPA quiet hours recipient time zone, not sender |
| Company name identified in every marketing text | Required | CTIA sender identity requirement |
| No public link shorteners (bit.ly / tinyurl) | Required | Carrier filtering risk + CTIA Oct 2025 |
| No SHAFT-restricted content without carrier approval | Required | CTIA content restriction |
| Consent documentation stored and retrievable for audit | Required | Essential for TCPA defense |
| Florida FTSA requirements applied to FL contacts | Conditional | Broader definition of autodialer than TCPA |
| Transactional vs marketing message distinction maintained | Required | Different consent standards apply |
| Email compliance (CAN-SPAM) maintained separately from SMS compliance | Required | Different frameworks don’t conflate |
How Message IQ Supports TCPA-Compliant SMS for HubSpot Teams
Compliance infrastructure is the part of SMS setup that breaks silently. A platform that processes opt-outs manually, doesn’t log consent to the CRM, or requires a separate dashboard to track who’s opted out creates gaps that show up in discovery during a lawsuit not during regular operations.
Message IQ handles the compliance layer inside HubSpot natively:
- Automatic opt-out processing. STOP and related keyword replies remove contacts from future sends immediately and log the opt-out to the HubSpot contact record no manual list management, no delay between the opt-out request and enforcement.
- HubSpot stop conditions. Workflows can be configured with ‘Contact has opted out of SMS’ as a stop condition, preventing re-enrollment through deal stage changes, list additions, or other triggers that would otherwise enroll the contact again.
- 10DLC registration guidance during onboarding. Message IQ walks teams through brand and campaign registration with compliant opt-in language and sample messages, reducing first-submission rejection rate.
- Quiet-hours workflow configuration. HubSpot workflow time windows and Message IQ’s scheduling tools allow SMS sends to be scoped to compliant hours using the contact’s local time zone property.
- Contact-level activity logging. Every send, reply, opt-out, and link click logs to the HubSpot contact timeline creating an auditable record of SMS activity that matters if consent documentation is ever challenged.
Frequently Asked Questions
Does CAN-SPAM apply to SMS text messages?
No. CAN-SPAM governs commercial email marketing, not text messages. SMS marketing in the United States is regulated by the Telephone Consumer Protection Act (TCPA), which requires prior express written consent before sending automated marketing texts. The two laws have different consent models CAN-SPAM uses opt-out (you can send first, then offer unsubscribe), while TCPA uses opt-in (consent must be obtained before the first marketing message).
What are the TCPA fines for non-compliant SMS?
TCPA statutory damages run $500 per violation for standard violations and $1,500 per violation for willful or knowing violations. There’s no cap on total liability, meaning a non-compliant campaign to 10,000 contacts creates exposure of $5 million to $15 million. Class action filings under TCPA are common any recipient of a non-compliant text has a private right of action, and plaintiff attorneys take these cases on contingency.
Do I need consent to text business contacts for B2B marketing?
Yes, in most circumstances. TCPA consent requirements apply to calls and texts to mobile phones regardless of whether the communication is for business purposes. If you’re using an automated SMS platform to text a contact’s mobile number which is almost every business number in 2026 TCPA consent requirements apply. The narrow B2B carve-out covers manually dialed calls to verified landline business numbers for non-marketing purposes, which doesn’t describe automated HubSpot SMS workflows.
What counts as ‘prior express written consent’ for SMS?
A written record electronic or physical in which the consumer specifically agrees to receive automated marketing text messages from your named business. An unchecked checkbox on a web form with compliant disclosure language qualifies. Verbal consent alone doesn’t qualify. Email consent doesn’t transfer to SMS consent. Consent collected by a third-party lead generator for their purposes doesn’t qualify under the January 2026 one-to-one consent rule. The consent must be affirmative, specific to your brand, documented, and obtainable before the first marketing text.
How do I handle opt-outs under the April 2025 FCC rule?
The April 2025 FCC update requires honoring opt-out requests made through any reasonable method including email, phone calls, and informal written requests within 10 business days. Real-time processing is best practice. For HubSpot teams, this means creating a process to route opt-out requests that arrive through non-SMS channels into your HubSpot contact records and update the SMS opt-out property before your next workflow fires. Message IQ handles STOP keyword replies automatically; the cross-channel piece requires a defined internal process.
What’s the difference between TCPA compliance and 10DLC registration?
They’re parallel requirements, not substitutes. TCPA compliance is about consent documentation, opt-out handling, and quiet hours the legal framework for who you can text and how. 10DLC registration is about carrier approval for your business number the technical framework for whether your messages actually deliver. A legally compliant SMS program with proper consent documentation still gets blocked if the number isn’t registered. A registered number with carrier approval still creates TCPA liability if you’re texting without consent. Both are required.
Get 300+ SMS Templates
Enter your details to download the PDF instantly.
Download Started!
Your 300+ SMS Templates PDF is downloading now. If it didn’t start, click here.
Start With a Clean Program
The businesses that avoid TCPA fines aren’t the ones with the best lawyers on retainer they’re the ones that built consent collection, opt-out handling, and quiet-hour enforcement into their SMS program before the first message went out. Message IQ puts that infrastructure inside HubSpot: automatic opt-out logging to contact records, workflow stop conditions, 10DLC registration guidance during onboarding, and sending controls that enforce quiet hours by contact time zone. Plans starting at $99/month.
