Guide to Personal Text Message Privacy Laws + TCPA Regulations & Rules for Text Messaging

Text messaging is so effective at engaging people, that it’s regulated.

So what do you need to know about personal text message privacy laws, regulations, and rules to start texting?

In this article, I cover everything - including:

1. What the TCPA is
2. 3 reasons why you need to comply with TCPA guidelines for texting
3. TCPA compliance checklist and requirements for text messaging
4. A bonus TCPA compliance checklist for calling
5. Answers to frequently asked TCPA compliance text message questions

By the end, you’ll know all about consent, opt-in, and TCPA-compliant text messaging.

Read on for more.

Add SMS Superpowers to Your Phone Line

Start texting with a powerful SMS inbox made for teams.

Get startedWatch demo

What is TCPA? What Does TCPA Stand for?

TCPA stands for the Telephone Consumer Protection Act. The TCPA is a set of laws and regulations set forth by the FCC. Enacted in 1991, the law protects consumers’ privacy and reduces abusive telecommunications and spam. The TCPA outlines various telecommunications violations. The Telephone Consumer Protection Act also applies to text messages. It sets rules like requiring opt-in and opt-out language when texting consumers.

3 Reasons Why You Need to Comply with TCPA Guidelines for Texting

1. Text message delivery and engagement

Mobile carriers and messaging platforms have filters that detect and block spam for non-compliant text messages. So following compliance guidelines ensures your text messages get delivered.

Compliant text messages also respect user preferences. This reduces the chances of recipients marking your messages as spam. It can also lead to higher open, click, and engagement rates as well as better customer relationships.

2. Trust and brand building

Respecting privacy and communication preferences, and getting opt-in shows that you value the people you’re texting. It creates transparency and builds trust.

Compliance also shows that you’re professional and responsible. People engage with brands that prioritize their rights and preferences. 

Not to mention, trustworthy practices encourage long-term customer relationships. Satisfied customers are more likely to recommend you to others.

3. Legal consequences and class action lawsuits

Violations of the TCPA can result in lawsuits. Statutory damages range from $500 to $1,500 per violation. This depends on if the act was willful or negligent. 

For example, sending unauthorized text messages to 1,000 recipients could result in fines ranging from $500,000 to $1.5 million. Affected consumers file class action suits all the time. 

TCPA Compliance Checklist

• ✅ Send texts with a TCPA-compliant business text messaging service.
• ✅ Text from a TCPA-compliant SMS phone number.
• ✅ Become a “verified SMS sender” with A2P 10DLC registration through a platform like MessageDesk.
• ✅ Publish a carrier-compliant business text messaging policy on your website and other collateral.
• ✅ Obtain implied opt-in consent or express opt-in consent.
• ✅ Set up opt-in and opt-out controls with a business texting service.
• ✅ Include clear opt-out language in calls to action (CTAs).
• ✅ Maintain and respect a do-not-contact (DNC) list.
• ✅ Don’t send text messages that violate CTIA SHAFT guidelines.
• ✅ Comply with time-of-day restrictions.

1. Send texts with a TCPA-compliant business text messaging service

{{inbox_annotated="/media"}}

You have to use the right business texting services and platforms for TCPA texting compliance.

The default text messaging apps on your phone lack the features you need for compliance. 

Apps like iMessage and Messages by Google don’t offer features like automated opt-out and consent record-keeping.

They also come with scalability issues. These personal text messaging platforms don’t support sending text message broadcasts to large groups. 

Are you currently texting from your personal phone number? If so, you’re at major risk of violating carrier and TCPA rules.

2. Text from a TCPA-compliant SMS phone number

{{sms_phone_number="/media"}}

Next, you’ll need to get a text number that supports TCPA compliance.

Five and six-digit short codes used to be the only way to send TCPA-compliant SMS text blasts.

But you now have a range of SMS phone number options that come with the same compliance mechanisms. These numbers can also support high-volume text messaging.

Your top two phone number options include:

• 10-digit local phone numbers
• Toll-free 800 phone numbers

Note: You can also text-enable an existing business landline or another number with number hosting using MessageDesk.

3. Become a “verified SMS sender” with A2P 10DLC registration Through a Platform like MessageDesk 

{{carrier_registration_step_2="/media"}}

All telecom carriers in the U.S. now require businesses and organizations that text to complete A2P 10DLC carrier registration. 

They do this for TCPA compliance and to prevent phishing scams and SPAM messaging from bad actors.

The good news is that business texting services, like MessageDesk, come with all of the compliance features you need. They can help you manage opt-in, compliance, and registration from one platform.

Every service has its way of managing opt-in and carrier registration. But at MessageDesk, we start the carrier registration process by validating the legitimacy of your organization. We do this with a form that collects the following information:

1. Business identification: You need to provide proof of your business's existence and legality. This includes your Employer Identification Number (EIN) or other tax identification numbers.
2. Business address: The official address registered with your organization.
3. Contact Information: A primary contact within the business, including name, phone number, email address, and website.
4. Messaging purpose and examples: Explain why and how your business uses SMS messaging. This involves providing message examples.
5. Opt-in and opt-out processes: Describe how your contacts opt-in and out of receiving messages. This includes how you collect consent and how you manage and honor opt-out requests.
6. Message content and volume: Carriers need to know about the volume and content of the messages you’ll send. This helps them understand your messaging patterns. It also ensures that your messages align with TCPA regulations.

4. Publish a carrier-compliant business text messaging policy on your website and other collateral

You submitted and validated your information. Next, you need to publish a text message privacy policy.

Carriers require that you have a website. They also require that you publish a business text messaging privacy policy on it for TCPA compliance.

Your privacy policy must explain the following:

1. The type of contact and personal information your organization collects
2. How your organization collects information from contacts
3. How your organization uses any information collected
4. How your organization protects contact data
5. That your organization doesn’t share information with third parties
6. How contacts can opt out of receiving text messages

🚨 Note: having a website with a privacy policy is an absolute must for business text messaging. Without it, carriers won’t approve your organization for texting. 

Here’s an example of language you should include in your privacy policy:

"[ Organization Name ] maintains strict privacy policies, ensuring that personal information of our users and members is not shared, sold, rented, released, or traded to third parties without legal obligation."

Additionally, your privacy policy should Include the following:

SMS Opt-Out: If you are receiving text messages from us and wish to stop, respond "STOP" to opt-out of future messaging. Once we receive your message, you will no longer receive additional texts from us."

5. Obtain implied opt-in consent or express opt-in consent

{{automation_chatbot="/media"}}

Opt-in consent breaks down into two levels across several messaging categories. These include:

1. Implied consent
2. Express consent

Implied consent: for conversational, informational, and transactional texts

Implied consent applies to conversational, informational, and transactional text messages. A contact gives you their implied consent by initiating a text conversation or voluntarily giving you their phone number.

Examples of implied consent include:

• Appointment reminders and confirmations
• Automatic out-of-office messages
• Invoice and payment reminders
• Logistics and delivery updates
• Texts related to account information
• Text alerts and emergency notifications

Under the TCPA, existing business relationships (EBRs) also constitute implied consent. But keep in mind, that this only applies to non-promotional, two-way, conversational text message exchanges.

Here are some questions to consider when determining if you have a contact’s implied consent:

• Did a contact text you or your organization first and ask for information?
• Did you meet someone in person and get their contact info with a phone number?
• Are you texting conversationally and sending two-way SMS messages?
• Did a contact ask for information regarding your business or organization within the past 3 months?
• Did a contact make a purchase or complete a transaction with you or your organization in the past 18 months?

If you answered yes to any of these then you most likely have that contact’s implied consent to text them. 

Express consent: for promotional text messages

Express consent is a recorded agreement that clearly indicates consent to receive texts at a particular phone number. You need express consent to send automated promotional messages for text message marketing.

Contacts can give you express consent by:

• Texting opt-in keywords like SUBSCRIBE or JOIN
• Submitting a form on your website and checking a box that clearly opts them in
• Recorded verbal agreement to receive text messages

Bonus: collect double opt-in consent:

The TCPA doesn’t require double opt-in for business text messaging, but I recommend it. 

Double opt-in is a two-step verification process. You can use it to confirm a subscriber's intent to receive your text messages. 

After a user signs up or provides their contact information (the first opt-in), they receive a follow-up text message. This message asks them to confirm their subscription (the second opt-in). 

This additional step ensures that the person who provided the contact information indeed wants to receive text messages.

TCPA consent requirements for text messages

6. Set up opt-in and opt-out controls with a business texting service

{{automation_opt_in_out="/media"}}

Next, you’ll need tools for getting and maintaining TCPA opt-out requirements. The goal is to provide contacts with control over their messaging preferences.

Platforms like MessageDesk come with features like autoresponders, click-to-text, website contact forms, and chatbots to do this. All of these tools are lead generators that can help you get opt-in and start compliant text message conversations. They automatically record who opts in, and make the terms of opting in from your privacy policy clear.

However, the tool matters less when collecting opt-in. The important part is your first text message sent to new contacts. 

This text must clearly state how to opt in and opt out of future communication. It should also include language around other terms and conditions.

Below is an example SMS opt-in autoresponder text message that sends automatically when a contact texts SUBSCRIBE.

By signing up via text, you agree to receive recurring automated text messages at the phone number provided. Consent is not a condition to purchase. Messages and data rates may apply. Message frequency varies. Reply STOP to opt out and unsubscribe. Reply HELP for help. View our terms and conditions and privacy policy for details.

Note: MessageDesk supports both STOP and HELP keywords out of the box. There’s no additional setup required to maintain TCPA compliance.

SMS opt-in example:

SUBSCRIBE

Recieved 01/06/23, 07:01 am

Hi {{ FirstName }}! Thanks for joining our text subscriber list. You can expect a text from us every month with the best deals. Text STOP to opt out at any time or text HELP for help. Messaging and data rates may apply.

Delivered 01/06/23, 07:01 am

SMS opt-out example:

STOP

Recieved 01/06/23, 07:01 am

Hi {{ FirstName }}, sorry to see you go. You’ve opted out of all text messaging from {{ OrganizaitonName }}. You can opt back into text messages from us at any time by texting SUBSCRIBE. You can also text HELP for help.

Delivered 01/06/23, 07:01 am

SMS help example:

HELP

Recieved 01/06/23, 07:01 am

{{ OrganizationName }}: For help, email {{ Help_Email }}. To opt-out, reply STOP.

Delivered 01/06/23, 07:01 am

7. Include clear opt-out language in calls to action (CTAs)

Contacts also need to be able to opt out of communications with your business or organization at any time.

The first text message a new contact receives from you should include a call to action (CTA). This should state how to opt out of communication.

Specifically, opt-in and opt-out CTAs ensure that contacts agree to receive text messages. It also establishes that they understand the terms and conditions associated with your text message policy.

Compliant CTAs always include:

1. A description of your service, program, or product
2. The telephone number(s) you’ll send messages from
3. You or your organization’s identity
4. Clear and conspicuous language about opt-in
5. Disclaimers regarding any associated fees, charges, or messaging rates
6. Other applicable terms and conditions (e.g., how to opt out, customer care contact information, and any applicable privacy policy)

8. Maintain and respect a do-not-contact (DNC) List

{{inbox_sort_filter="/media"}}

It's important to know who you can and can’t text regardless of consent. For this, you need a business texting service with a DNC or “do-not-contact” list to keep your records straight.

This is where MessageDesk’s SMS subscriber list features can help you manage active and inactive subscribers.

With MessageDesk you can:

• Automatically filter contacts into groups and lists
• Actively record which contacts opt-in and out of receiving text messages
• Automatically maintain an active do-not-contact list (DNC)

Documenting and saving opt-in and opt-out records also helps if you’re ever faced with an abuse complaint.

You want to protect yourself from liability and fines. So use a texting platform that automatically keeps track of who has and hasn’t opted in.

9. Don’t send text messages that violate CTIA SHAFT guidelines

The FCC, CTIA, and TCPA all aim to keep messaging experiences positive for everyone across all carrier networks.

To clarify what this means, the CTIA (an association of mobile carriers and industry advocates) put forth messaging guidelines. CTIA guidelines cover sex, hate, alcohol, firearms, and tobacco (SHAFT) and state that:

1. Content regarding controlled substances and adult content must be age-gated.
2. You can’t disperse content with depictions or endorsements of violence or hate.
3. Don’t send messages containing profanity or hate speech.
4. You can’t endorse illegal drugs.

The alcohol and legal cannabis/marijuana industries are of particular concern with SHAFT.

If your organization provides either of these goods or services you still need to comply with SHAFT standards.

In most cases, this means having robust age gates and normal opt-in and opt-out capabilities.

10. Comply with time-of-day restrictions

{{office_hours="/media"}}

Respecting your contacts' time is not just good texting etiquette—it's the law. The TCPA prohibits any telephone solicitation, including text messages, during "quiet hours" (before 8 a.m. and after 9 p.m.). Some states even have stricter rules.

Best Practice: Stick to sending texts during normal business hours. Ideally, send between 9 a.m. and 8 p.m. in your recipient's local time.

If you're reaching out to customers across different time zones, plan accordingly. A friendly "Good Morning, [Name]" text sent at 11 a.m. Pacific Time might arrive at 2 p.m. for someone on the East Coast—not exactly morning anymore.

Add SMS Superpowers to Your Phone Line

Start texting with a powerful SMS inbox made for teams.

Get startedWatch demo

Bonus: TCPA Compliance Checklist for Calling

This checklist focuses specifically on the compliance requirements for voice calls under the Telephone Consumer Protection Act (TCPA). Adhering to these guidelines ensures that your calling practices stay legal and respectful of consumer preferences.

1. Obtain consent

First and foremost, don't purchase lists of phone numbers containing contacts who haven't opted in. It's essential to obtain express written consent before making any telemarketing or promotional calls. 

This consent must be clear and conspicuous. It should specify that the contact agrees to receive calls from your organization.

Are you relying on implied consent through an Established Business Relationship (EBR)? Make sure you've done business with the contact within the last 3 to 18 months. Without an EBR, you must obtain explicit consent before calling.

2. Comply with calling time restrictions

Respecting your recipient's time is crucial. Don't call before 8 a.m. or after 9 p.m. local time of the recipient. Calling outside of this timeframe is a TCPA violation.

Additionally, be sure to adjust for different time zones to ensure compliance across various regions. This consideration helps prevent disturbances and demonstrates professionalism.

3. Respect the National Do Not Call (DNC) Registry

Don't call contacts listed on the National DNC Registry. Regularly update your calling lists by cross-referencing them with the registry to stay compliant.

Moreover, you need to honor internal DNC requests by promptly adding contacts who opt out to your DNC list. This practice not only complies with regulations but also builds trust with your audience.

4. Provide proper identification

At the start of each phone call, clearly state your name and the name of your business or organization. Following this introduction, provide a brief explanation of the call's purpose. This transparency helps establish credibility and puts the recipient at ease.

5. Use appropriate calling technology

When making calls, don't use artificial or prerecorded voices without the recipient's prior express written consent. This restriction also includes using automatic telephone dialing systems (autodialers) to call cell phones without proper consent.

If no one answers after 15 seconds or 4 rings, whichever comes first, disconnect the call. This practice shows respect for the recipient's time and prevents unnecessary disturbances.

6. Allow opt-out options

Providing an easy method for contacts to opt out of future calls is essential. For live calls, offer an immediate opt-out mechanism during the conversation. 

For prerecorded messages, include an automated opt-out option within the message. 

Ensuring an effortless opt-out process demonstrates respect for consumer preferences and enhances your company's reputation.

7. Adhere to content restrictions

Finally, be mindful of the topics you discuss during calls. Don’t discuss or promote alcohol or tobacco products to individuals without age verification. Additionally, avoid content that is graphic, hateful, violent, or confidential. 

Be sure to comply with CTIA Guidelines by steering clear of prohibited topics. Adhering to these content restrictions helps maintain a professional image and avoids potential legal issues.

Frequently Asked TCPA Compliance Text Message Questions

Below is a list of frequently asked questions related to text messages and TCPA compliance.

What regulatory agencies and SMS compliance laws apply to texting?

Three regulating entities/laws apply to business text messaging. They include the Federal Communications Commission (FCC), the Telephone Consumer Protection Act (TCPA), and the Cellular Telecommunications and Internet Association (CTIA).

Each works to protect consumers’ messaging experience. They do this through policies that reduce unsolicited advertisements and promotional text messages.

FCC, CTIA, and TCPA regulations are all about consent, opt-in, and opt-out. They give people control over their messaging preferences, frequency, and more.

What other personal text message privacy laws apply to text messaging?

In addition to the federal TCPA, several states have their own stricter text messaging laws. 

Florida's Telephone Solicitation Act (FTSA) limits the number of texts or calls businesses can make in a day. It also mandates a cutoff time of 8 p.m. local time. Violations can lead to significant penalties. 

Similarly, California has tougher consumer protection laws. Even manual marketing texts can trigger regulations, requiring consent for virtually all text-based promotions.

What is A2P 10DLC and why does it matter for TCPA compliance?

A2P 10DLC carrier registration is a messaging solution required for high-volume commercial texts. It ensures better message deliverability rates and compliance with carrier and regulatory standards. Every business or organization that texts must register their phone numbers to avoid SPAM filtering and blocking.

What are the most recent changes to TCPA regulations for text messages?

In late 2023, the FCC tightened its rules around consent requirements for text messaging. These new rules particularly focused on "one-to-one" consent. 

This means that businesses can’t use blanket consent agreements. Multiple affiliates or partners can’t send marketing texts based on a single opt-in from the consumer.

Does TCPA apply to text messages?

The TCPA does apply to text messages. The Federal Communications Commission (FCC) 2015 Omnibus Declaratory Ruling and Order set these boundaries. Regardless, text messages are subject to the same Telephone Consumer Protection Act (TCPA) restrictions as phone calls.

Do TCPA rules apply to business contacts or just consumers?

TCPA rules primarily target consumer communications. However, courts sometimes rule that business cell phones can fall under these regulations, particularly if used for personal reasons​.

Are there any exceptions to the TCPA?

Not all text messages fall under the TCPA's regulations. The TCPA strictly governs marketing, advertising, and auto-dialed messages. However, there are certain exceptions. These exceptions include informational and non-commercial texts that don’t require express consent or opt-out options.

For example:

• Financial institutions can send important account or security updates.
• Healthcare providers can share appointment reminders, confirmations, and lab results.
• Pharmacies can notify customers about prescription statuses.
• Utility companies can communicate service updates, outages, or upgrades.
• Schools can provide alerts about closures, health risks, or absences.

In essence, messages that provide essential updates, especially in emergencies, are exempt from TCPA compliance. However, any promotional or marketing texts still need to follow the full TCPA guidelines.

What is the FCC?

The Federal Communications Commission (FCC) is an independent U.S. government agency overseen by Congress. The FCC regulates interstate and international communications through radio, television, wire, satellite, and cable across the U.S.

What is the role of the FCC in text message regulations?

The FCC is a regulatory authority. They enforce laws that protect consumers from unwanted and intrusive communications. This includes text messages and phone calls.

Specifically, the FCC implements and enforces the Telephone Consumer Protection Act (TCPA). 

FCC texting regulations also require that you obtain proper consent before sending marketing messages. It mandates clear opt-out mechanisms for consumers.

What is the CTIA?

The Cellular Telecommunications and Internet Association (CTIA) is a non-profit trade association. They represent the wireless communications industry in the United States. The CTIA advocates for legislative and regulatory policies. 

What is the CTIA’s role in SMS compliance?

The CTIA is a key organization in the telecommunications industry. They establish content standards that help maintain text messaging as a trusted communication method. Specifically, the CTIA focuses on preventing spam and unwanted messages. 

The CTIA also monitors compliance through enforcement programs. Entities found in violation of their guidelines may face penalties. This includes suspending messaging services.

What does DNC mean in texting?

In texting, DNC means “don't contact”. A DNC list is a do-not-contact or do-not-call list. It maintains a current record of contacts who have opted out of communication.

Can you text DNC numbers?

No, you can’t text DNC numbers. Texting numbers listed on the National Do Not Call Registry incur TCPA violations and fines.

Is mass texting illegal?

No, mass texting isn’t illegal, but carriers heavily restrict it. The U.S. government has a long history of regulation. Historically, they’ve protected consumer privacy concerning telemarketing and robocalls, and this also extends to texting.

What are the penalties for TCPA violations?

The FCC and courts judge calls and text messages in the same way. The penalties for violating the TCPA are the same for both. TCPA fines also get levied on a per-violation basis. 

Standard penalties are up to $500 per violation and up to $1,500 per willful violation. Multiple violations can incur fines in the millions of dollars.

Who sets TCPA requirements and compliance rules in the US?

Congress passes laws regulating SMS text messaging. The courts interpret those laws. Regulatory agencies such as the FCC and FTC enforce those laws. They create rules to do so.

Other court decisions and FCC text message regulations now extend the TCPA’s regulations to SMS text messaging.

Add SMS Superpowers to Your Phone Line

Start texting with a powerful SMS inbox made for teams.

Get startedWatch demo

Ready for a smarter, simpler TCPA-compliant texting service?

I’ve covered TCPA compliance and how it applies to text messages. It’s more than possible to maintain compliance with text messages. This is especially true if you text using a business texting service like MessageDesk.

Ready to start texting? Your next step is to meet with a MessageDesk messaging expert. 

MessageDesk is here to help you configure your business phone number. We make carrier registration simple, easy, and transparent.