TCPA Compliance Checklist & Guide for Business Messaging

TCPA Compliance Checklist & Guide for Business Messaging

Aug 02, 2020 - 15 min read time
What is TCPA? Comprehensive TCPA compliance checklist and guide to TCPA regulations and violations for calls and text messages.

TCPA Compliance Checklist and Guide: Everything Your Business or Organization Needs to Know

Text messages are a highly effective way to communicate with contacts and customers. In fact, 67% of people would rather text than talk.

What many businesses and organizations may not know is how the regulation applies to text messaging.
Text messages are subject to the same regulations and restrictions as telemarketing calls.

TCPA litigation has become hot stuff since 2015, so we’re providing businesses with the knowledge they need to stay TCPA compliant.

In This Guide You'll Learn:

  1. What is TCPA? What Does TCPA Stand for?
  2. TCPA Compliance Guide
  3. TCPA Compliance Checklist
  4. TCPA Consent Standards
  5. Text Messaging Consent Standards
  6. Three Types of Consent
  7. TCPA Consent Exceptions
  8. Calls-to-Action (CTAs)
  9. Opt-in and Opt-out Requirements
  10. TCPA Violations
  11. CTIA SHAFT Guidelines
  12. Maintaining a Do Not Contact List
Chapter 1

What is TCPA? What Does TCPA Stand for?

TCPA stands for the telephone consumer protection act. The TCPA is a set of laws and regulations enacted in 1991 to protect consumers’ privacy and reduce abusive telecommunications.

The TCPA outlines various violations and offers a guide to businesses on how to contact consumers

TCPA Compliance Checklist

  • Conversational messages require implied consent.
  • Information messages require express consent.
  • Promotional messages require express written consent.
  • Don't purchase lists of phone numbers containing contacts who haven't opted in.
  • Don't use spammy technology like shortcodes, artificial voices, or recordings.
  • When possible use a business messaging service that offers local 10DLC messaging.
  • Don't text or call a contact before 8 am or after 9 pm, local time.
  • Don't text or call anyone on the National DNC Registry.
  • Maintain a "Do Not Contact" list for all of your business contacts.
  • List your business name, message frequency, and applicable messaging rates when contacts opt-in.
  • Provide contacts with an "opt-out" like "STOP".
  • If calling, disconnect if no one answers after 15 seconds or 4 rings, whichever comes first.
  • Don't send messages pertaining to alcohol to non-age-verified numbers.
  • Don't send messages with anything that's graphic, hateful, violent, or confidential.
  • Stay aware of updates to messaging regulations.

Disclaimer: Please note that our advice is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.

TCPA Compliance Guide

There are several important things you and your business need to know about TCPA compliance before sending text messages or making phone calls:

  1. Get express written consent.
  2. Keep messages conversational.
  3. Use texting services that support local 10-digit long codes (10DLC).
  4. Include clear CTAs, terms of service, and privacy policies.
  5. Support "STOP" for opt-out.
  6. Maintain records for opt-in and opt-out with a DNC (do not contact) list.

1. Get Express Written Consent.
There are three types of consent based on the three different types of conversations typically had with contacts and customers.

To send automated marketing or promotional messages you need express written consent. If you don’t have proper express written consent, then you must put contact phone number in your DNC (Do Not Contact) list.

2. Keep Messages Conversational.
Message delivery and response rates go up when you have personalized, thoughtful conversations. Don’t get spammy and talk like a robot - carriers, regulators, and your contacts will appreciate it.

3. Use Texting Services that Support Local 10-Digit Long Codes (10DLC).
Older five and six-digit shortcodes are a thing of the past and many carriers like AT&T aren’t supporting them.

These numbers and send pathways aren’t always verified and they only support one-way mass texting.

4. Include Clear CTAs, Terms of Service, and Privacy Policies.
Every call-to-action (CTA) you use in your messages should be clear.

Include your campaign purpose, message frequency, terms and conditions, privacy policy, and info about message and data rates.

5. Support “STOP” For Opt-out.
The first message you send to new contacts must be an opt-in message that clearly states how to opt-out of future communication.

6. Maintain Records for Opt-in and Opt-out with a DNC (Do Not Contact) list.
To protect yourself from liability you need to maintain up-to-date records of who has and hasn’t opted into communication with your business

Bottom line: you need consent for your business or organization to call and send text messages. This isn’t negotiable.

If you don’t get the right level of consent at the right time for the right kind of conversation, you could get into serious trouble with the law.

In short, unless a contact gives you prior express written consent, the TCPA, and FCC rules ban both robocalls calls and robo-texts with artificial or prerecorded voice and/or messages from autodialers.

Consent varies based on the various types of conversations you have with your customers (Conversational, Informational, Promotional, etc.) and on the nature of the conversation (Transactional or Promotional).

Technology and automation also play an important factor. Getting the right kind of consent depends on the content of the message and who or what sends it first.

Generally, you need three things before you start texting your customers.

To Text Your Customers You Need 3 Things:

  1. General Customer Consent You need to obtain your customer’s consent to send them conversational, informational, and transactional messages.

  2. Express Written Consent To send customers automated marketing and promotional messages you need their express written consent.

  3. Any-Time Opt-Out Your customers need to be able to revoke their consent, opt-out and stop receiving text messages from your business at any time they choose.

Conversational Text Messaging Consent:

Conversational text messaging is a one-on-one two-way conversation between you and your existing customers or known contacts with an existing business relationship.

If a customer texts your business first and you respond quickly with a single message, then it is likely conversational.

As long as you respond with relevant information, then you don’t need verbal or written permission.

This is called implied consent. It’s based on the already established relationship you have with your customer or contact.

Informational Text Messaging Consent:

Informational messaging takes place when a contact gives your business their phone number and asks to be contacted in the future.

Informational text messaging includes appointment reminders, welcome texts, and other alerts and notifications.

These messages are all in this category because the message content fulfills your contacts’ original request.

For informational text messaging, your customer does need to agree to receive texts specifically for informational purposes.

This is called express permission. Contacts may grant you this permission via text opt-in, on a form, on a website, verbally or with written permission.

Express consent may also be orally recorded for all non-commercial, informational texts from tax-exempt nonprofits, political campaigns, and other non-commercial entities.

Promotional Text Messaging Consent:

Promotional text messages are messages that directly promote, market, and sell your business, product, or service. Before your business sends any promotional text messages, you need express written consent.

Contacts may sign a form, check a box online, etc. to receive promotional text messages. The important part is that you have this consent in writing.

If you already ask customers to sign forms or submit their contact information, then consider adding a field to account for this level of consent.

Text Message Conversations and Their Required Consent:

Consent First Message Sender Conversation Type Text Message Content
Conversational Text Messaging Implied Consent Contact or Customer Two-way Conversation Responses to a specific, inbound customer request
Informational Text Messaging Express Consent (Oral or Written) Contact, Customer or Business One-way Alert or Two-Way Conversation Inbound and outbound messages containing relevant customer information
Promotional Text Messaging Express Written Consent Business Automated, One-way Campaign with Promotional Offer Out-bound messages that promote your business, product or service Prompts customer to buy something, go somewhere or take some sort of action
Political Text Messaging Express Consent (Oral or Written) Political Group One-way Alert or Two-Way Conversation Inbound Content Related Expressly to Political Action
Tax Exempt Nonprofit Text Messaging Express Consent (Oral or Written) Nonprofit or Group Acting on Their Behalf One-way Alert or Two-Way Conversation Inbound Content Expressly Related to Organization

Note: This table gives examples of the types of text message conversations and required consent. This does not qualify as legal advice. It isn’t a substitute for legal advice from qualified professionals.

At MessageDesk we have rules for importing contacts. Consent doesn’t just apply to new contacts. It applies to all of your contacts - even the ones you import. Before you import a list, make sure you’ve got the right form of consent from every contact.

Implied Consent:

If it’s “reasonable to believe” that you have permission to text a contact then you have implied consent.

Think of implied consent as getting more casual or inferred permission whereas express consent is getting formal permission.

If a contact reaches out to your business and texts you first, then it’s reasonable to assume you have permission to text the contact back, but only specifically regarding their message.

The same holds true for email. If a contact emails your business, and their signature includes their phone number, then you can reasonably assume they’ve given you permission to call them.

Meeting someone in person and getting their business card also gives you permission to contact them by the means listed on their card.

Keep in mind that this doesn’t grant you permission to send them promotional messages regarding your product, good or service.

However, if the contact asked specifically for that information, then you have express consent.

Express Consent:

The TCPA doesn’t specifically define express consent. It simply states that express consent is a written or oral agreement that clearly indicates consent to receive texts or calls at a particular phone number. Informational text messages fall into this category.

If a contact knowingly provides your business with a phone number as part of the normal course of business, then you have implied express consent to message them.

But this only holds if the content of the message you send the contact relates to the original reason they gave your business their number.

If a contact gave you their number and they expect to receive a confirmation of their appointment or receive pertinent information regarding their account, then your business has the right to contact them via implied express consent.

If you have a prior established business relationship with a contact, then in most cases you also have prior express consent.

Express Written Consent:

This is written, recorded permission that a contact gives your business either on paper or electronically. Your business will need express written consent from a contact if you plan on contacting them regarding anything that’s promotional.

If the intent of your message is to sell or market your goods, product, or service, you need express written consent.

The thing to remember is that express written consent isn’t implied or assumed. You risk violating the TCPA until you’ve got written proof that they agree to receive texts for promotional purposes.

In this case, “written consent” doesn’t have to mean written by hand. You just need a record of it.

Digital agreements work great for express written consent since the FCC expanded the definition to include web forms, written verbal agreements, or opt-in via text message keyword.

Finally, don’t bury written consent in a long web form full written in legalese. The recipient should clearly understand the terms of opting-in.

Prior Established Business Relationships (EBR)

Texting or talking with an existing customer mean your business has a prior established business relationship.

If a contact asked for information regarding your business within the past 3 months or they’ve made a purchase or transaction with your business in the past 18 months, you have an established business relationship with that contact.

An established business relationship with a contact gives your business prior express consent to call or text with them.

Tax-Exempt Nonprofits

Tax-exempt Nonprofits are non-commercial. They don’t sell goods or services. As long as their communications with contacts remain non-commercial, they can operate under the assumption of express consent to call and text contacts.

Health Care

Health care messages sent on behalf of someone covered under a healthcare plan as defined by the HIPAA Privacy Rules are exempt from normal TCPA consent standards.

Emergency Purposes

Calls and text messages for emergency purposes are for obvious reasons exempt from normal TCPA consent standards.

Text Message Calls-to-Action (CTAs)

A “Call-to-Action” or CTA is a link or button you include in your text message asking your customer to do something.

This could be an opt-in or opt-out to a text message campaign, a link to a website or web property, a link to a calendar, a link to go pay their open invoices, and more.

The purpose of a CTA is to tell your customer what’s going on and to direct them.

Specifically, an opt-in CTA ensures that your customer agrees to receive a text message and that they understand the terms and conditions associated with your text message policy.

No matter what, every CTA you use in your text messages needs to be clear. It should indicate to the customer what will happen if they click through.

Calls-to-Action and other text messages coming from your company shouldn’t contain deceptive language. Don’t obscure opt-in and opt-out details in your terms and conditions.

Text Message Call-to-Action (CTA) Best Practices:

  1. Explain what your product or service is. Contacts need to know what they’re signing up for. Are they getting information or promotional offers? Specify what you’re offering so there aren’t any surprises regarding consent.
  2. Show the telephone number(s) or short code(s) your messages come from If you use a 10-digit long code, this can inform your contact where you’re sending messages from.
  3. Identify the name of your business, organization, or firm. Your contact should know exactly who or what is sending them a message.
  4. Clarify how to opt-in and out of communications. It should be clear to your contact that they can opt-out by texting a keyword like “STOP”.
  5. Note the frequency of messages they’ll receive. Including the approximate number of messages, the customer should expect to receive is a best practice. It sets expectations and prevents against complaints.
  6. Be transparent about fees or charges that result from messaging your business. Despite the popularity of unlimited texting, some users may have to pay a small fee to receive text messages. Your business needs to inform them of these potential charges.
  7. List any other applicable terms and conditions like contact information and privacy policies.

Customer Opt-in

Business text messaging apps like MessageDesk already support the opt-in mechanisms you need to stay compliant with the TCPA.
Messaging platforms like MessageDesk only allow you to send promotional texts after your contacts have opted-in to receive them.

Having the right opt-in procedures limits liability by reducing the chance that a contact receives an unwanted message. It also helps prevent messages from being sent to a phone number that doesn’t belong to the contact who provided that phone number.

How Contacts Can Opt-in to Your Text Messages:

  • Enter their telephone number and agree to the terms of service on your website.
  • Respond or send a keyword as a message from their mobile device.
  • Start a text message conversation with your business.
  • Sign up at a point-of-sale (POS) or other text message sender at your business.
  • Saying “yes” and opting-in via interactive voice response (IVR) technology.

Customer Opt-out

You need to offer your contacts the choice to opt-out of communications with your business at any time. This message should state how and what words will opt a contact out of communication.

Most every business text messaging platform uses the word “STOP” to opt contacts out. The wording for all opt-out instructions needs to be unambiguous and support normal language and variances like, stop, end, unsubscribe, cancel, quit, “please opt me out”, etc.

Contact Opt-out Best Practices:

  • Contacts should be able to opt-out of your messages at any time.
  • Opt-out via phone call, email, or text should be available.
  • A contact’s opt-out request should generate one final opt-out confirmation message per campaign and notify the contact that they’ve successfully opted-out.
  • Don’t send any messages after the opt-out confirmation message.

Links are an inherent part of how businesses communicate with contacts and customers.

They’re great for when you want to ask a customer for a review, collect an open invoice, schedule an appointment, or provide customer service.

However, texting a whole bunch of short links to large groups of people may prompt some red flags at the carrier or message provider level.

Shortened URLs like are a strong indicator to text message providers that the link may be spammy.

With long URLs like, contacts know exactly where the link will take them. With shortened links, a contact may not know where it’s sending them.

We don’t recommend sending shortened URLs to large groups of people. However, using shortened URLs for individual messages, like invoice collection, is ok.

Bitly and Google’s Firebase Dynamic Links are great tools for shortening URLs and creating shortlinks.

All invoice reminder text messages sent from MessageDesk populate automatically as shortlinks.

Damages associated with TCPA violations range from $500 to $1,500 per violation. Since 2015, it’s not uncommon to see federal courts award tens of millions of dollars through class action settlements for TCPA violations.

In short, sending any unwanted texts or phone calls using a dialing system to your contacts’ cell phone is a TCPA violation.

If your business doesn't have the right level of consent to send the right kind of message, then you’re violating the TCPA. Below is a list of TCPA violations.

1. Sending Unsolicited Texts or Making Unsolicited Calls to Residential Phone Numbers

For your business to call residential numbers, you need an “established business relationship” (EBR).

If you haven’t done business with the contact in the last 3-18 months, then you don’t have an established business relationship.

This makes texting and calling via automated campaigns where that contact hasn’t opted-in a TCPA violation.

Based on the content of your message, you will need prior implied, express or express written consent before your business calls or texts a contact. If a contact has not opted in and consented to messaging you are in violation of the TCPA.

3. Not Allowing Contacts to Opt-out

4. Calling People Listed on the National Do Not Call Registry

It’s illegal for your business to text or call anyone who has opted-out of communications, especially those registering on the federal Do Not Call Registry.

Things Your Business Can’t Text – SHAFT

Business communications are a regulated channel. Obviously, various types of content come with additional restrictions.

In an effort to keep the messaging experience positive for everyone across all networks the CTIA (an association of mobile carriers and industry advocates) has put forth guidelines regarding sex, hate, alcohol, firearms, and tobacco (SHAFT).

The alcohol and legal cannabis/marijuana industries are of particular concern with SHAFT.

If your business provides either of these goods or services you still need to comply with SHAFT standards.

In most cases, this means having robust age-gates and normal opt-in and opt-out capabilities.

CTIA SHAFT Guidelines:

  • Content regarding controlled substances and adult content must be age-gated.
  • You can’t disperse content with depictions or endorsements of violence or hate.
  • Don’t send messages containing profanity or hate speech.
  • Endorsements of illegal drugs are forbidden.
Chapter 5

Group Text Messaging

Depending on the type of business text messaging service your business uses, group messaging might be possible. If you can send group text messages using your provider, keep in mind the following recommendations:

  • Make sure the service has strong anti-abuse controls and mechanisms in place to accommodate sending many messages - most do.
  • Check that the service specifically gives group members the ability to opt-out of the group at any time.
  • Finally, make sure the messaging service has features that prevent contacts from getting caught in recursive or cyclical group messages that involve more than one group. Opting a contact out of one group may not opt them out of the other and so on.

Maintaining a DNC (Do Not Contact) List

It’s important that your business knows who they can and can’t call and text. To keep the record straight, you need a DNC or “Do Not Contact” list.

Many business text messaging apps have systems in place to help you keep track of this.

Documenting and saving opt-in and opt-out records with your messaging permissions helps if you’re ever faced with a complaint.