Every business sending automated text messages in the US operates under two overlapping compliance frameworks. The first is the Telephone Consumer Protection Act federal law, enforced by the FCC, with statutory damages of $500 to $1,500 per non-compliant message and no cap on total liability. The second is the CTIA Messaging Principles and Best Practices industry standards, not law, enforced by carriers.
Most compliance conversations focus on TCPA because it carries legal penalties. The CTIA framework gets less attention but operationally, violating CTIA standards is equally damaging. Carriers use these principles to decide whether your messages get delivered. Non-compliance means your SMS doesn’t reach anyone, regardless of how clean your legal consent documentation is.
The October 2025 update to the CTIA Messaging Principles tightened requirements around URL handling, sender identification, and opt-in language specificity. Combined with the FCC’s January 2026 one-to-one consent rule, businesses running SMS programs in 2026 face a materially stricter compliance environment than they did 18 months ago. This guide covers both frameworks, what’s changed, what carriers actually check, and how Message IQ supports compliant two-way SMS inside HubSpot.
What Are the CTIA Messaging Principles and Best Practices?
The CTIA (Cellular Telecommunications Industry Association) is the trade association representing the U.S. wireless communications industry carriers like AT&T, T-Mobile, and Verizon, along with the broader mobile ecosystem. The Messaging Principles and Best Practices are a set of industry standards the CTIA publishes and updates to define responsible A2P (Application-to-Person) messaging conduct for businesses.
These principles are not a federal regulation. No government agency enforces them directly. Instead, carriers enforce them operationally by filtering, throttling, or blocking messages that violate the standards. The Campaign Registry (TCR), which handles 10DLC brand and campaign registration, implements the CTIA principles as the practical gatekeeping mechanism for A2P traffic. A campaign that fails to meet CTIA standards typically fails TCR registration meaning your messages never deliver, full stop.
The most recent version was issued in October 2025. Carriers treat it as the current benchmark for A2P messaging compliance. The framework covers six core areas: consumer consent, opt-in flow, opt-out handling, sender identity, content restrictions, and sending behavior.
See how much revenue SMS could add to your HubSpot stack
Five inputs. Industry-backed benchmarks. Get your projected annual SMS revenue in under 30 seconds.
Calculate My SMS ROI
CTIA vs TCPA: Different Rules, Different Consequences
The confusion between CTIA and TCPA runs through almost every SMS compliance conversation. They’re related but separate, and conflating them leads to compliance gaps.
| CTIA Messaging Principles | TCPA | |
|---|---|---|
| Type | Industry guidelines | Federal law |
| Who sets it | CTIA (wireless industry association) | U.S. Congress / FCC |
| Who enforces it | Carriers (AT&T, T-Mobile, Verizon) | FCC + private litigants |
| Consequence of violation | Message filtering, throttling, blocking, campaign suspension | $500–$1,500 per message, class action exposure |
| Can you still be sued? | No, but CTIA violations often accompany TCPA violations | Yes, private right of action, class actions common |
| Covers consent? | Yes, with stricter specificity requirements in some areas | Yes, the legal baseline |
| Updated when? | October 2025 (most recent) | January 2026 (FCC one-to-one consent rule) |
A program can be fully TCPA-compliant and still get blocked by carriers for failing CTIA standards. The reverse is also possible a program that meets CTIA requirements for delivery could still face TCPA litigation if consent documentation is insufficient. Compliant programs satisfy both frameworks simultaneously.
The 6 Core Areas of CTIA Compliance
1. Consumer Consent
CTIA requires express written consent before sending any marketing or promotional SMS. For transactional messages (receipts, shipping notifications, account alerts triggered by a consumer action), implied consent may apply but the CTIA standard still requires clear disclosure that texts may be sent.
Consent must be:
- Specific to the message sender consent given to Company A doesn’t transfer to Company B
- Specific to the use case consent for transactional alerts doesn’t authorize promotional texts
- Documented you need a record of what the consumer agreed to, when, and through what channel
- Not pre-checked opt-in checkboxes must start unchecked; consent requires an affirmative action
2. Opt-In Flow
Every SMS program needs a compliant opt-in flow the process through which a consumer agrees to receive texts. The CTIA’s October 2025 update tightened specificity requirements here: opt-in language must clearly state what type of messages will be sent, at what frequency, and from which brand.
Required disclosures at the point of opt-in:
- Brand or program name
- Description of message types (promotional, transactional, reminders, etc.)
- Message frequency disclosure (e.g., ‘Up to 4 messages per month’ or ‘Message frequency may vary’)
- ‘Message and data rates may apply’ disclosure
- How to opt out (‘Reply STOP to unsubscribe’)
- How to get help (‘Reply HELP for support’ or equivalent)
Example compliant opt-in language: By checking this box, I agree to receive automated marketing text messages from [Company Name] at the number provided. Message and data rates may apply. Message frequency varies. Reply STOP to unsubscribe. Reply HELP for help. View our Privacy Policy at [URL].
The opt-in confirmation message the first text sent after a consumer subscribes must repeat key disclosures: program name, message frequency, opt-out instructions, and customer care contact. This confirmation is required for double opt-in programs and recommended for all programs.
3. Opt-Out Handling
CTIA requires businesses to honor opt-out requests immediately and support the following keywords without exception: STOP, UNSUBSCRIBE, CANCEL, END, and QUIT. When any of these keywords are received, the system must:
- Stop all future automated sends to that number within the same message cycle
- Send a single confirmation message acknowledging the opt-out
- Not send any further marketing messages unless the consumer re-opts in affirmatively
Critical update April 2025 FCC rule: The FCC now requires businesses to honor opt-out requests made through ‘any reasonable method’ not just STOP keyword replies. If a contact emails your company asking to be removed from text messages, calls to request removal, or sends an informal message saying ‘please stop texting me,’ that request must be honored within 10 business days. Real-time processing is best practice. This change significantly affects how compliance teams handle opt-out requests across channels.
4. Sender Identity
Every business SMS message must identify the sender. The CTIA standard and the October 2025 update both reinforce this: anonymous or unbranded messages are a spam indicator and a filtering trigger.
- Include your company name in every message particularly in the first message of a campaign
- Use a consistent sender number changing numbers frequently signals spam behavior to carriers
- Your registered brand name must match the name that appears in messages discrepancies between TCR registration data and message content trigger filtering
- HELP keyword response must provide a customer care contact (phone number or email) alongside your company name
5. Content Restrictions SHAFT
CTIA prohibits certain content categories from standard A2P messaging channels without special carrier approval. The acronym used across the industry is SHAFT:
| Letter | Category | What It Covers |
|---|---|---|
| S | Sex / Adult content | Sexually explicit content, adult dating, NSFW material |
| H | Hate | Content targeting race, religion, gender, sexual orientation, ethnicity |
| A | Alcohol | Alcohol promotion requires age verification and carrier approval |
| F | Firearms | Guns, ammunition, gun parts requires carrier approval |
| T | Tobacco / Cannabis | Cigarettes, vaping, cannabis all restricted or prohibited depending on carrier |
Beyond SHAFT, the following content types are also flagged or prohibited:
- Phishing and fraudulent content any message designed to deceive recipients
- Get-rich-quick schemes and high-yield investment programs
- Payday loans and short-term high-interest lending
- Third-party lead generation and affiliate marketing to shared consent lists
- Multi-level marketing using mass texting
- Debt collection using mass A2P campaigns
For B2B SMS teams using HubSpot, the practical SHAFT concern is usually cannabis (if operating in a legal state) or alcohol (if in hospitality or events). Standard B2B sales and marketing content appointment reminders, proposal follow-ups, deal nudges sits well outside SHAFT territory. The restriction that does affect B2B teams more often is the prohibition on third-party lead generation: buying lists of phone numbers with shared consent and texting them is a CTIA violation regardless of what the list seller claims about consent quality.
6. Sending Behavior
Carrier filtering algorithms score your sending behavior continuously. Message frequency, sending time windows, opt-out rate, complaint rate, delivery failure rate, and consistency between your registered use case and actual message content all factor into your sender reputation. CTIA guidelines set behavioral expectations that carriers translate into scoring thresholds.
- Send only within permitted hours: 8 AM to 9 PM in the recipient’s local time zone not sender time zone
- Disclose message frequency at opt-in and stay within it sending significantly more than disclosed triggers complaints
- Match message content to your registered campaign use case sending promotional messages from a transactional-registered campaign creates a use-case mismatch that carriers flag
- Avoid spam-trigger language: FREE!!!, WINNER, GUARANTEED, URGENT, ACT NOW, BUY NOW these terms don’t guarantee filtering but raise suspicion and depress deliverability
- Never use public link shorteners (bit.ly, tinyurl) branded or platform-managed short domains only
- Maintain audit logs of consent, opt-outs, delivery attempts, and message samples
October 2025 CTIA Update: What Changed
The October 2025 update to the CTIA Messaging Principles focused on three areas that had become enforcement gaps as A2P SMS volume grew:
URL handling. The update formalized restrictions on public link shorteners in A2P messages and strengthened the requirement for branded or platform-managed short domains. Messages containing unregistered or suspicious short domains now face a higher likelihood of carrier filtering at the point of send, not just during campaign registration review.
Sender identification specificity. The update reinforced that brand name in messages must match the entity name registered with TCR. Generic sender names, DBAs that don’t appear in registration data, or names that don’t match what a consumer would recognize create filtering risk. This catches programs that register under a parent company name but send under a product brand name without updating TCR accordingly.
Opt-in language specificity. Vague opt-in descriptions ‘receive communications from us’ or ‘get updates’ without specifying SMS no longer satisfy CTIA standards. Opt-in language must explicitly state that the consumer is agreeing to receive text messages, from which entity, of what type, and at what frequency. This is the change that most directly affects 10DLC campaign registration submissions, where opt-in description vagueness is already the most common rejection reason.
The January 2026 FCC One-to-One Consent Rule
The FCC’s one-to-one consent rule, effective January 2026, closes what regulators called the ‘lead-generator loophole.’ Previously, a consumer completing a form on a lead aggregator website might consent to receive texts from multiple companies simultaneously their contact information (and the associated consent) could be shared with or sold to dozens of brands.
The January 2026 rule prohibits this. Consent must now be obtained directly by each sending brand, from each consumer. A business cannot rely on consent collected by a third-party lead generator or shared across affiliated brands. Each entity that texts a consumer needs that consumer’s individual, direct consent.
For B2B teams using HubSpot, the operational impact is straightforward: any contact who submitted a form on your own website and checked a compliant SMS opt-in box is properly consented under the new rule. Any contact whose phone number came from a purchased list, a lead aggregator, or a partner data share is not and texting them creates TCPA exposure under the updated consent standard.
The practical answer is to audit your existing contact list for consent source before running any SMS campaign. Contacts with documented first-party consent through your own forms are safe to text. Everyone else needs to be re-consented or excluded from SMS sends entirely.
Turn HubSpot Into A Real-Time SMS Engine with Message IQ
Two-Way Conversations
Shared Team Inbox
Automation Triggers
Advanced Reporting
Compliance Tools
- 98% SMS read within 3 min
- 78% Buy from first responder
- 21× More likely to qualify
*MessageIQ is an Integrate IQ product built natively for HubSpot by the same team.
Sender Reputation: The Compliance Metric Carriers Actually Use
CTIA compliance isn’t a binary pass/fail checked once at registration. Carriers score your sending behavior continuously and adjust how they route your messages based on that score. Think of it as a credit score for SMS deliverability.
The signals that build or erode sender reputation:
| Signal | Builds Reputation | Erodes Reputation |
|---|---|---|
| Opt-out rate | Under 1% per campaign | Over 3% carrier flags as dissatisfaction |
| Complaint rate | Minimal clean opt-in list | High purchased or re-used list |
| Delivery failure rate | Under 2% | Over 5% stale or invalid numbers |
| Sending consistency | Predictable volume and timing | Sudden volume spikes |
| Use-case consistency | Messages match registered campaign type | Promotional content from transactional registration |
| Link quality | Branded or platform-managed domain | bit.ly / tinyurl / unrecognized domains |
| Time of send | 8 AM – 9 PM recipient local time | Before 8 AM or after 9 PM |
Trust scores between 75 and 100 allow the highest message throughput up to 225 messages per second through some carriers. Lower scores reduce throughput significantly, meaning high-volume campaigns run slower or get queued. Sustained low scores can trigger campaign suspension even for registered programs.
CTIA Pre-Send Compliance Checklist
Run through every item below before launching any new SMS campaign or sequence. This covers the CTIA Messaging Principles, the October 2025 updates, and the January 2026 FCC consent rule.
| Checklist Item | Status | Notes |
|---|---|---|
| 10DLC brand registration complete | Required | Must precede any A2P send |
| 10DLC campaign registered for this use case | Required | One campaign per distinct message type |
| Opt-in consent obtained from each recipient directly | Required | No purchased lists, no shared consent Jan 2026 rule |
| Opt-in form includes brand name, message type, frequency, ‘msg & data rates may apply’, STOP and HELP instructions | Required | Exact language, not paraphrased |
| Opt-in confirmation message sent after first subscribe | Required | Repeats key disclosures |
| Company name included in every outbound message | Required | Oct 2025 update must match TCR registration name |
| STOP, UNSUBSCRIBE, CANCEL, END, QUIT all supported | Required | Carrier-mandated keywords |
| Opt-outs processed in real time or within 10 business days | Required | April 2025 FCC rule any reasonable method |
| HELP keyword returns customer care contact | Required | Name + phone or email |
| No public link shorteners (bit.ly, tinyurl) | Required | Use platform or branded short domain |
| URLs in messages resolve to registered domain | Required | Oct 2025 update domain must match TCR brand record |
| Content does not contain SHAFT-restricted material | Required | Sex, Hate, Alcohol, Firearms, Tobacco without carrier approval |
| Message content matches registered campaign use case | Required | Promotional content only from promotional-registered campaign |
| Sending window is 8 AM – 9 PM recipient local time | Required | Not sender time zone |
| Message frequency within disclosed limits | Required | Matches what opt-in form stated |
| No spam-trigger language (FREE!!!, WINNER, etc.) | Conditional | Not prohibited but depresses deliverability |
| Opt-in logs and message samples stored for audit | Required | Needed if TCPA challenge occurs |
| Consent source documented for all contacts on send list | Required | Jan 2026 rule first-party consent only |
How Message IQ Supports CTIA-Compliant SMS for HubSpot Teams
Building a compliant SMS program involves getting the platform infrastructure right, not just the legal language. A platform that handles opt-out processing manually, doesn’t log consent to the CRM, or requires a separate dashboard to manage compliance creates gaps that grow into problems.
Message IQ is built for HubSpot teams and handles the CTIA compliance layer inside the platform:
- 10DLC registration guidance during onboarding. Message IQ walks teams through brand and campaign registration with TCR, including opt-in description language that meets CTIA specificity requirements. Reduces first-submission rejection rate.
- Automatic opt-out processing. STOP, UNSUBSCRIBE, CANCEL, END, and QUIT replies remove contacts from future automated sends immediately and log the opt-out to the contact’s HubSpot record. No manual list management required.
- Opt-out logging to HubSpot contact timeline. Opt-out events appear on the contact record alongside all other activity history. If a contact opts out of SMS and a rep later tries to enroll them in a new workflow, the HubSpot record carries the opt-out flag so they don’t get accidentally re-texted.
- Platform-managed link shortening. Message IQ wraps URLs in tracked short links through a platform-managed domain not bit.ly or tinyurl. Compliant with the October 2025 CTIA update on URL handling.
- TCPA-aware workflow tooling. HubSpot workflow stop conditions can be set to ‘Contact has opted out of SMS’ so automated sequences never fire to unsubscribed contacts even if deal stage or contact property triggers would otherwise enroll them.
Message IQ doesn’t provide legal advice and can’t guarantee compliance with TCPA or CTIA standards for your specific program. What it does do is build the infrastructure that makes compliance operationally manageable so the compliance layer runs in the background while your team focuses on conversations. Plans starting at $99/month.
Frequently Asked Questions
Are the CTIA Messaging Principles legally binding?
No. The CTIA Messaging Principles and Best Practices are industry guidelines, not federal law. No government agency enforces them directly. Carriers enforce them operationally by filtering, throttling, or blocking messages that violate the standards which is just as damaging as a legal penalty if your SMS program can’t reach anyone. The TCPA is the federal law with legal penalties. Both frameworks require compliance for a functional, low-risk SMS program.
What is the SHAFT rule in SMS compliance?
SHAFT is an acronym for the content categories that are prohibited or restricted in standard A2P SMS channels: Sex (adult content), Hate (discriminatory content), Alcohol, Firearms, and Tobacco/Cannabis. Sending messages containing these content types without carrier-specific approval gets your campaign filtered or suspended. Most B2B SMS teams don’t touch SHAFT categories the practical risk for business texting is usually third-party lead lists and shared consent, not content-category violations.
What changed in the October 2025 CTIA update?
The October 2025 update tightened three areas: URL handling (public link shorteners like bit.ly are now a stronger filtering trigger; branded or platform-managed short domains are the standard), sender identification (brand name in messages must match the entity name in TCR registration exactly), and opt-in language specificity (vague opt-in descriptions no longer satisfy CTIA standards language must explicitly state SMS, the sending entity, message type, and frequency).
What is the January 2026 FCC one-to-one consent rule?
The January 2026 FCC rule requires that each SMS sender obtain consent directly from each consumer. Consent can no longer be shared across brands or sold by lead generators. If a contact’s phone number came from a purchased list, a lead aggregator, or a partner data share, texting them without direct first-party consent creates TCPA exposure under the updated rule. Contacts who submitted forms on your own website and checked an SMS opt-in box are properly consented.
How does the ‘any reasonable method’ opt-out rule affect my SMS program?
The April 2025 FCC update requires businesses to honor opt-out requests made through any reasonable method not just STOP keyword replies. If a contact emails asking to be removed from texts, calls your office, or sends an informal message requesting no further texts, you must process that opt-out within 10 business days (real-time is best practice). This requires cross-channel coordination between whoever handles email, phone calls, and SMS so opt-out requests don’t fall through the gaps between channels.
Does Message IQ handle CTIA compliance automatically?
Message IQ handles the operational compliance infrastructure: automatic opt-out processing for STOP and related keywords, opt-out logging to HubSpot contact records, platform-managed link shortening that avoids public shortener domains, and 10DLC registration guidance during onboarding. It does not provide legal advice and cannot guarantee compliance for your specific program and use case. Work with qualified legal counsel to review your consent documentation and opt-in flows against TCPA and CTIA requirements.
Get 300+ SMS Templates
Enter your details to download the PDF instantly.
Download Started!
Your 300+ SMS Templates PDF is downloading now. If it didn’t start, click here.
Build a Compliant SMS Program From Day One
CTIA compliance isn’t a post-launch audit item. The opt-in language, the consent documentation, the opt-out infrastructure, and the 10DLC campaign registration all need to be right before your first message goes out. Message IQ walks HubSpot teams through the compliance setup during onboarding 10DLC registration, opt-out handling, CTIA-aligned workflow tooling so the infrastructure is correct from day one rather than patched after your first carrier complaint. Plans starting at $99/month.
