TCPA compliance for SMS: a practical guide
The TCPA governs marketing texts in the US. In practice that means: get prior express written consent before sending marketing SMS, only send during permitted hours, identify yourself, honor STOP requests immediately, and keep records. Violations run $500–$1,500 per message, so the safe pattern is consent-first and opt-out-always.
The Telephone Consumer Protection Act (TCPA) is the US federal law that regulates telemarketing calls and text messages. If your team sends SMS at volume, the TCPA is the single biggest rule set you need to understand — and the one with the sharpest teeth. This guide covers the practical mechanics. It is general information, not legal advice; talk to qualified counsel about your specific program.
Why the TCPA matters
The TCPA creates a private right of action, which means recipients can sue directly. Statutory damages are $500 per violation, rising to $1,500 per violation where a court finds the conduct willful or knowing. Because damages are per message, a single non-compliant broadcast to thousands of numbers can add up fast. There is a four-year federal statute of limitations, and many cases are brought as class actions.
The takeaway is not "texting is dangerous" — it is that the rules are knowable and the safe pattern is well understood.
The core requirements
1. Consent
For marketing text messages, the standard is generally prior express written consent: the recipient agreed, in writing, to receive marketing texts from you, with clear disclosure that they may be sent using an automated system and that consent is not a condition of purchase. For purely transactional or informational messages the bar can be lower, but the line between "informational" and "marketing" is easy to cross, so many teams treat consent as table stakes for all outbound SMS.
Keep proof of consent — when, how, and what the person agreed to.
2. Timing
Calls and texts should be sent within permitted hours. The commonly cited federal window is 8:00 a.m. to 9:00 p.m. in the recipient's local time zone, and several states impose stricter windows. Sending outside those hours is a frequent source of complaints.
3. Identification
Identify who is texting. Recipients should be able to tell which business the message is from.
4. Opt-out
Every recipient must be able to opt out, and you must honor it promptly. Replies such as STOP, UNSUBSCRIBE, or OPT OUT should immediately suppress future messages. Best practice is to suppress across your whole account, not just the one campaign, so a person who opts out once does not hear from you again through another list.
5. Do Not Call
Marketing outreach also intersects with Do Not Call rules. Scrubbing your list against DNC data before you send is a standard control. (See our separate guide on the DNC registry.)
How this maps to a real workflow
A defensible SMS program tends to look like this:
- Collect and store consent at the point of signup, with the disclosures above.
- Scrub every list against DNC and your internal suppression list before sending.
- Throttle sending so you stay within carrier limits and can stop quickly if something looks wrong.
- Honor STOP instantly and account-wide, and log the suppression.
- Keep an audit trail — who was messaged, when, what was screened, and what was suppressed — that you can export if you are ever asked to show your work.
Fivra is built around this pattern: DNC lookups run before contacts are messaged, STOP/opt-out replies suppress account-wide automatically, and screening and sending activity is written to append-only audit logs you can export as CSV or JSON. The platform provides the controls; how you configure consent and use them is still your responsibility.
Common mistakes
- Treating consent as implied. "They gave us their number" is usually not the same as express written consent to marketing.
- Ignoring time zones. A broadcast that is fine at 8:30 a.m. on the East Coast is a 5:30 a.m. text on the West Coast.
- Slow opt-outs. Honoring STOP "in the next batch" is not honoring it promptly.
- No records. If you cannot show consent and suppression history, you cannot defend the program.
FAQ
What is the TCPA?
The Telephone Consumer Protection Act is a US federal law that regulates telemarketing calls and text messages, including consent, calling hours, identification, and Do Not Call requirements. It allows recipients to sue for statutory damages.
Do I need consent to send marketing texts?
Generally yes. Marketing SMS typically requires prior express written consent — a written agreement to receive marketing texts, with disclosure that automated messages may be used and that consent is not a condition of purchase. Consult counsel about your specific messages.
What are the penalties for a TCPA violation?
Statutory damages are $500 per violation, and up to $1,500 per violation if the conduct is found to be willful or knowing. Because damages are per message, exposure scales with the size of the send.
What hours can I send marketing SMS?
The commonly cited federal window is 8:00 a.m. to 9:00 p.m. in the recipient's local time zone, and some states are stricter. Send within the tightest applicable window.
How should I handle opt-outs?
Honor STOP, UNSUBSCRIBE, and OPT OUT requests promptly. Suppressing opt-outs account-wide — not just for one campaign — is the safest approach, and you should keep a record of the suppression.
Does Fivra make me TCPA compliant?
Fivra provides compliance tooling — DNC screening, automatic STOP suppression, and exportable audit logs — but compliance depends on how you configure consent and use the platform. It is not a substitute for legal advice.
Outreach at volume. Compliance by default.
Fivra pairs high-volume SMS broadcasting with a built-in power dialer and real-time TCPA & DNC screening — one platform for high-volume teams.
Get started