SMS Marketing Laws: TCPA, CTIA & 10DLC Compliance Guide (2026)

SMS marketing laws in the US operate across three overlapping layers: TCPA (federal law, $500-$1,500 per violation), CTIA messaging principles (carrier-enforced industry standards), and A2P 10DLC registration (mandatory carrier registration for business texting). The core requirements are: prior express written consent before any marketing text, opt-out handling that processes STOP replies immediately, quiet-hours compliance (8am-9pm recipient local time), no SHAFT content (Sex, Hate, Alcohol, Firearms, Tobacco), and A2P 10DLC brand and campaign registration. TCPA class action filings were up nearly 95% year-over-year through mid-2025. If your SMS program hasn’t been reviewed since 2024, it carries significant legal exposure.

A single non-compliant SMS campaign to 10,000 contacts carries theoretical fine exposure of $5 million to $15 million under TCPA. That’s not a hypothetical. TCPA class actions are one of the most litigated categories in US federal courts, and the statute carries no cap on aggregate damages. $500 per message, $1,500 for willful violations, applied per recipient.

SMS marketing laws in 2026 look different from 2024. Two major FCC rule changes moved through the courts, one was vacated, one was delayed, and several states added their own layers on top of federal requirements. If you’re building or running an SMS marketing program, you need the current picture not last year’s guide. This article covers every law and standard that applies to US business SMS marketing, what changed in 2025-2026, and how to build a program that doesn’t create legal exposure. For the consent language you actually need on your opt-in forms, the TCPA consent language guide has copy-paste ready templates.

Get Expert Guidance on SMS Marketing Regulations Today.

The Three Layers of US SMS Marketing Law

Most businesses think SMS compliance is just TCPA. It’s three overlapping frameworks, and violating any one of them causes problems, even if you’re clean on the others.

Framework	What It Is	Enforced By	Penalty for Violation
TCPA	Federal law governing consent and opt-out for automated messages	FCC + private litigation / class actions	$500-$1,500 per message, no aggregate cap
CTIA	Industry messaging principles covering content, opt-in format, and message structure	Mobile carriers (AT&T, Verizon, T-Mobile)	Message filtering, number blocking, campaign suspension
A2P 10DLC	Mandatory carrier registration for business-to-consumer texting	The Campaign Registry + carriers	Traffic filtering, message blocking, campaign rejection

TCPA violations cost you money in court. CTIA violations cost you deliverability. 10DLC violations mean your messages never arrive. A fully compliant program satisfies all three simultaneously.

FREE SMS ROI CALCULATOR

See how much revenue SMS could add to your HubSpot stack

Five inputs. Industry-backed benchmarks. Get your projected annual SMS revenue in under 30 seconds.

Calculate My SMS ROI

TCPA: The Federal Law Every SMS Marketer Must Know

The Telephone Consumer Protection Act was passed in 1991 to regulate unsolicited telemarketing calls. The FCC has consistently interpreted ‘calls’ to include text messages, making TCPA the primary federal framework governing business SMS in the US. TCPA class action filings rose nearly 95% year-over-year through mid-2025. Businesses that treat TCPA compliance as a box-checking exercise rather than an operational requirement are the ones writing settlement checks.

What TCPA Requires

Prior express written consent (PEWC). Before sending any marketing text to a US contact, you need documented written consent. That means a checkbox on a web form, intake paperwork, or a point-of-sale sign-up with consent language that is clear, conspicuous, and specific to your business. Verbal consent doesn’t satisfy TCPA. A phone number on a business card doesn’t satisfy TCPA. Buying a lead list where contacts ‘agreed to be contacted by partners’ doesn’t satisfy TCPA for your specific business.

Consent must name your business specifically. Generic partner consent clauses are legally risky. Your consent language should clearly identify your company by name as the entity that will be sending automated texts.

Opt-out must be immediate. When a contact replies STOP (or UNSUBSCRIBE, QUIT, CANCEL, END, or REVOKE), that opt-out must be processed immediately and that suppression must log to their contact record so no future automated workflow re-enrolls them. As of April 2025, the FCC also requires businesses to accept opt-outs communicated through ‘any reasonable method,’ not just keyword replies including opt-outs made by email, phone call, or website form.

Quiet hours. No marketing texts before 8am or after 9pm in the recipient’s local time zone. This is a federal floor; some states have stricter windows (covered below).

Sender identification. Every marketing text must identify who sent it. The contact should know which business is texting them without having to guess.

What TCPA Does NOT Require (Common Misconceptions)

Transactional texts don’t need the same consent level. Appointment reminders, order confirmations, and account alerts sent to contacts who provided their number in that context get more latitude than marketing texts. They still require consent, but not prior express written consent at the same standard as promotional content.

Existing customer relationships provide some flexibility. TCPA has a narrower exception for established business relationships, but it doesn’t give blanket permission to market via SMS to everyone who’s ever bought from you. When in doubt, get written consent anyway.

2025-2026 TCPA Updates: What Actually Changed

Two significant rule changes moved through the regulatory process in 2025-2026. The picture is messier than most compliance guides acknowledge.

The one-to-one consent rule: proposed, fought, vacated. The FCC issued a rule in December 2023 requiring each business to obtain its own individual consent meaning a single opt-in covering multiple ‘marketing partners’ would no longer be sufficient. The rule was set to take effect January 2025. On January 24, 2025, the 11th Circuit Court of Appeals vacated it in Insurance Marketing Coalition v. FCC, finding the FCC exceeded its statutory authority. The FCC subsequently deleted the vacated rule and reinstated prior language. As of 2026, one-to-one consent is not a legal requirement under federal TCPA. A single opt-in can still cover multiple sellers under the right conditions, though broad partner consent clauses carry risk.

Consent revocation through ‘any reasonable method’: in force. As of April 2025, the FCC’s consent revocation rule requires businesses to honor opt-out requests made through any reasonable channel, not just STOP keyword replies. Opt-outs communicated via email, phone call, website form, or direct conversation must be honored within 10 business days, with real-time processing as the practical standard.

The ‘revocation-all’ rule: delayed to January 2027. A related provision would have required businesses to treat any opt-out as revocation of consent for all communication channels and purposes. In January 2026, the FCC delayed this provision to January 31, 2027. Watch this space it will require significant compliance architecture changes when it takes effect.

CTIA: The Carrier-Enforced Industry Standards

The CTIA (Cellular Telecommunications Industry Association) is the trade association for the US wireless industry. Their Messaging Principles and Best Practices are not federal law, but mobile carriers AT&T, Verizon, T-Mobile enforce them on their networks. Violating CTIA guidelines means carriers filter or block your messages. Your TCPA compliance doesn’t matter if your texts never arrive.

CTIA Consent and Opt-In Requirements

CTIA requires that consent be explicit and that the opt-in process clearly discloses:

Who is texting (your business name)
What types of messages the contact will receive
Estimated message frequency
That message and data rates may apply
How to opt out (STOP) and how to get help (HELP)

This disclosure language belongs in your opt-in flow, not buried in terms and conditions three scrolls below the form. CTIA requires it to be ‘clear and conspicuous.’

CTIA Message Content Requirements

Every marketing text you send should include:

Your business name or brand identifier (contacts should know immediately who’s texting them)
Opt-out reminder in the first message of any campaign (‘Reply STOP to opt out’)
HELP keyword support (replying HELP must return your contact information or support instructions)

SHAFT: Prohibited Content Categories

CTIA prohibits or restricts five content categories in A2P SMS campaigns regardless of consent status. These are enforced at the carrier level during 10DLC campaign registration and through automated message filtering:

Letter	Category	What It Means in Practice
S	Sex	Explicit adult content is prohibited. Age verification required for any adult-adjacent content.
H	Hate	Content promoting violence, discrimination, or hate against any group is blocked outright.
A	Alcohol	Marketing for alcohol brands requires age-gating that confirms recipients are 21+ before any campaign messages are sent.
F	Firearms	Marketing for the sale of firearms is prohibited. Safety and education content may be permitted with additional vetting.
T	Tobacco	Includes tobacco, CBD, and cannabis. Age-gating required for legal products. Cannabis campaigns face significant carrier restrictions regardless.

SHAFT isn’t an exhaustive list. CTIA and carriers also restrict or flag: cannabis, CBD, payday loans, debt collection, credit repair, get-rich-quick content, deceptive marketing, and gambling (outside of licensed state programs). Campaigns in any of these categories face additional vetting during 10DLC registration and are subject to carrier filtering even if the registration is approved.

One more CTIA operational note: public URL shorteners (Bitly, TinyURL) are strongly associated with spam traffic and trigger carrier filters. Use branded or dedicated short domains for any link included in an SMS message.

A2P 10DLC: The Registration Requirement That Makes or Breaks Deliverability

A2P 10DLC stands for Application-to-Person 10-Digit Long Code. It’s the US carrier registration system for businesses sending automated texts from standard 10-digit numbers. Registration is mandatory not optional, not ‘recommended.’ Without it, carriers filter or block your traffic. Appointment reminders don’t arrive. Lead follow-ups disappear. The full registration walkthrough is in the A2P 10DLC brand registration guide, but here’s the structure:

Brand Registration

Every business sending A2P SMS must register its brand with The Campaign Registry (TCR). Brand registration captures basic business identity: legal business name, EIN, business type, and industry. This is a one-time setup step. Costs vary by platform but are typically a small one-time fee.

Campaign Registration

After brand registration, each use case you send for requires its own campaign registration. A campaign defines what you’re texting about: marketing promotions, appointment reminders, account notifications, two-factor authentication. Each campaign goes through carrier vetting. SHAFT-adjacent campaigns face extended review. Campaigns that don’t match their registered use case can be suspended.

What Happens Without Registration

Carriers actively filter unregistered A2P traffic. Your messages may be delivered intermittently, throttled below usable volume, or blocked entirely — with no error notification to your platform. From your dashboard, everything looks like it’s sending. At the carrier level, your contacts are getting nothing. This is why 10DLC registration is non-negotiable before any automated SMS campaign runs at scale.

State-Level SMS Marketing Laws: Where Federal Law Sets the Floor

Fifteen states, including California, Florida, Texas, New York, Virginia, and Washington, now layer additional SMS marketing requirements on top of TCPA. State laws create a patchwork where federal compliance is necessary but not always sufficient. Key state-level differences to know:

State	Quiet Hours	Key Difference from TCPA	Effective	Source Law
Federal (TCPA)	8am-9pm local	Baseline	1991 / ongoing	TCPA
Florida	8am-8pm local	1-hour earlier cutoff	2021	FSIPA
Oklahoma	8am-8pm local	1-hour earlier cutoff	2022	OTSA
Washington	8am-8pm local	1-hour earlier cutoff	2021	CEMA
Texas	9am-9pm Mon-Sat, 12pm-9pm Sun	Later start + Sunday restriction	Sept 2025	Texas Bus. & Com. Code
Virginia	Additional state consent requirements	Enhanced consent rules	2026	VCDPA amendments
California	CCPA applies to SMS data	Data subject rights for SMS contacts	Ongoing	CCPA/CPRA

Texas deserves particular attention. Effective September 1, 2025, Texas amended its Telephone Solicitation Laws to expressly define marketing text messages as ‘telephone solicitations,’ requiring businesses to register with the Texas Secretary of State in many cases before sending promotional SMS to Texas residents. If you’re sending at volume to Texas contacts, this adds a layer of compliance the federal TCPA alone doesn’t capture.

California’s CCPA/CPRA applies to how you collect, store, and use the mobile numbers you text. Contacts have the right to request deletion of their data, including their phone number. Your SMS program needs a process for honoring deletion requests, which means more than just suppressing future sends it means removing the number from your list and your CRM.

Two-Way Conversations

Shared Team Inbox

Automation Triggers

Advanced Reporting

Compliance Tools

98% SMS read within 3 min
78% Buy from first responder
21× More likely to qualify

Proven results

98% open rate 3–5 min avg response $45–$50 ROI / $1

Explore Message IQ

*MessageIQ is an Integrate IQ product built natively for HubSpot by the same team.

SMS Marketing Compliance Checklist for 2026

Run your current SMS program against this checklist. If any item is unchecked, it’s a compliance gap with real legal or operational exposure:

Consent

Written opt-in consent collected before the first marketing text
Consent form names your specific business (not just ‘our partners’)
Consent language is clear, conspicuous, and not buried in terms and conditions
Consent includes: business name, message type, estimated frequency, M&D rates disclaimer, STOP/HELP instructions
Consent records stored with timestamp, method, and contact identity

Registration

A2P 10DLC brand registration completed with The Campaign Registry
Campaign registration submitted and approved for each use case (marketing, reminders, transactional)
SHAFT-adjacent campaigns reviewed for carrier acceptability before submission

Opt-Out and Suppression

STOP, UNSUBSCRIBE, QUIT, CANCEL, END, and REVOKE all trigger immediate opt-out
Opt-outs made by email, phone call, or other ‘reasonable method’ are honored within 10 business days
Opt-out status logs to CRM contact record and suppresses from all future automated workflows
No re-enrollment of opted-out contacts in any future campaign

Message Content

Business name appears in every message
Opt-out instruction included in first message of every campaign sequence
HELP keyword returns support contact information
No SHAFT content (Sex, Hate, Alcohol without age-gate, Firearms sale, Tobacco without age-gate)
No public URL shorteners (Bitly, TinyURL) use branded or dedicated domains

Send Timing

Marketing texts restricted to 8am-9pm recipient local time (federal minimum)
Florida, Oklahoma, Washington contacts: 8am-8pm local
Texas contacts: 9am-9pm Monday-Saturday, 12pm-9pm Sunday
Workflow scheduling configured to enforce time-zone-aware send windows

Platform

SMS vendor has signed a Business Associate Agreement if any healthcare contacts or PHI is involved
Platform handles opt-out suppression automatically and logs to CRM
Delivery reporting available (to confirm messages are actually arriving, not just sending)

How Compliance Connects to Your HubSpot SMS Workflows

Running SMS automation inside HubSpot doesn’t automatically make it compliant, but a natively integrated SMS platform built for HubSpot handles the operational compliance requirements automatically: opt-out suppression syncs to the contact record, STOP replies prevent re-enrollment in future workflows, send-window scheduling respects recipient time zones, and every opt-in status tracks as a contact property. SMS automation in HubSpot covers the full workflow setup with compliance guardrails built into each sequence.

The non-automated compliance work consent form language, 10DLC registration, SHAFT content vetting, state-specific quiet hours requires human setup before the first campaign runs. Treat it as a one-time foundation, not a recurring burden. Most practices get it right once and then run compliantly for years without revisiting it.

The Financial Case for Getting SMS Compliance Right

The legal exposure numbers make the case better than any abstract argument:

TCPA fine exposure: $500 per message for standard violations, $1,500 per message for willful violations, with no aggregate cap
A campaign sending 10,000 non-compliant marketing texts: $5M to $15M in potential statutory damages
DNC Registry violations: up to $43,792 per text
TCPA class action filings: up nearly 95% year-over-year through mid-2025
Carrier blocking from non-registered A2P traffic: 100% of messages filtered, no court order required

The compliance setup consent forms, 10DLC registration, opt-out infrastructure takes days, not months. The alternative is operating with that exposure against a litigation environment that’s actively getting worse. For the consent language templates your opt-in forms actually need, TCPA consent language for SMS has copy-paste versions ready to drop into your forms.

Frequently Asked Questions

What is TCPA compliance for SMS marketing?

TCPA compliance for SMS marketing means obtaining prior express written consent before sending any marketing text to a US contact, honoring opt-out requests immediately, respecting quiet hours (8am-9pm recipient local time), identifying your business in every message, and completing A2P 10DLC registration before sending at scale. TCPA fines run $500-$1,500 per message with no cap on aggregate liability.

Do I need consent to send a text message to a customer?

For marketing texts, yes prior express written consent is required. For transactional texts like order confirmations or appointment reminders sent to contacts who gave you their number in that context, consent requirements are less strict but still exist. When in doubt, collect written consent for all SMS communication from the start. It’s much easier than trying to re-consent a list after the fact.

What is A2P 10DLC and do I need it?

A2P 10DLC is the carrier registration system for US business texting. Brand registration establishes your business identity with The Campaign Registry. Campaign registration defines each use case you’re texting for. Without both, carriers filter or block your messages. Registration is mandatory for any business sending automated texts at scale in the US. See the 10DLC registration guide for the step-by-step process.

What is SHAFT and does it apply to my SMS campaigns?

SHAFT stands for Sex, Hate, Alcohol, Firearms, and Tobacco five content categories that CTIA prohibits or restricts in A2P SMS campaigns regardless of consent. SHAFT rules are enforced by mobile carriers during 10DLC campaign registration and through automated message filtering. If your business operates in any of these categories (including adjacent areas like CBD, cannabis, gambling, or payday lending), your campaigns face additional vetting and may require age-gating or special registration.

What states have stricter SMS marketing laws than federal TCPA?

Florida, Oklahoma, and Washington require quiet hours of 8am-8pm (one hour stricter than TCPA’s 9pm cutoff). Texas, effective September 2025, restricts marketing texts to 9am-9pm Monday through Saturday and noon to 9pm on Sundays, and requires Secretary of State registration for many businesses. Virginia added enhanced consent requirements in 2026. California’s CCPA/CPRA applies data subject rights to SMS contact data. Always verify current state requirements for the states where your contacts are located.

What happens if I violate TCPA?

TCPA violations expose you to statutory damages of $500 per message for standard violations and $1,500 for willful violations, with no aggregate cap. A single campaign to 10,000 non-consenting contacts creates theoretical exposure of $5M to $15M. TCPA class actions are actively filed and frequently settle for significant amounts. Beyond fines, carriers can block your number and campaigns independently of any legal action.

Is there a difference between TCPA and CTIA compliance?

Yes, and you need both. TCPA is federal law enforced by the FCC and through private litigation violations mean fines and lawsuits. CTIA is an industry standard enforced by mobile carriers violations mean message filtering and number blocking. A business can be TCPA-compliant and still have messages blocked by carriers for CTIA violations. A business can follow CTIA guidelines perfectly and still face TCPA lawsuits if consent wasn’t properly documented.

Build Your SMS Program on Compliant Infrastructure

Compliance isn’t the interesting part of SMS marketing. But it’s the part that determines whether your campaigns actually work and whether your business absorbs a seven-figure lawsuit. A natively integrated SMS platform handles the operational mechanics opt-out suppression, CRM logging, send-window enforcement, workflow-level consent gating automatically. What it can’t do is collect consent for you or register your 10DLC brand. That’s a one-time setup that protects everything you build after it.

Plans start at $99/month, with 10DLC onboarding support included. See how it connects to your HubSpot at messageiq.io, and book a strategy call to walk through the compliance setup before your first campaign goes out.