CTIA & TCPA Compliance

What you need to know to avoid a multi-million dollar SMS marketing fine

SMS Compliance

Table of Contents

Download for Later!

Prefer a PDF version? Get this article sent right to your inbox.

So, you want to be one of the innovative companies out there using SMS and text message marketing to connect with customers and prospects and grow sales. Even a moment of research into the topic, and you’ll begin to see 4 very, very important letters mentioned often: TCPA.

The TCPA is an incredibly important law that you, or your marketing team, need to know in and out before you get started with SMS marketing. Why? Because not knowing what it is can cost you millions (and has for large brands). 

There is good news, though! Following the TCPA is pretty easy –– especially if you know what it is, and choose a technology or SMS marketing tool that makes sure you are covered. 

All right, let’s get you caught up on this need-to-know law.

What is TCPA and how does it apply to SMS messaging?

The Telephone Consumer Protection Act (TCPA) went into effect in 1991. It covers unsolicited calls and texts to cell phones, protecting consumers from unregulated use of their personal information. 

Nearly 30 years later, brands of all shapes and sizes are looking to SMS marketing as a way to get in front of their customers. That’s because text messages have a near 100% read rate. Let’s take a sample size of one: How many text messages do you have on your phone right now that are unread? 

That near 100% read rate is so much higher than email marketing, where a good average open rate is 20%, and click rate is about 2-5%. Yikes. 

This makes SMS marketing a great channel for so many brands to talk to customers and prospects. But, there are rules and regulations in place to protect each of us. 

Section 4 and 5 of the TCPA’s definition are what apply most to brands looking to use SMS marketing:

  • (4) The term “telephone solicitation” means the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person, but such term does not include a call or message (A) to any person with that person's prior express invitation or permission, (B) to any person with whom the caller has an established business relationship, or (C) by a tax exempt nonprofit organization. 
  • (5) The term “unsolicited advertisement” means any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person's prior express invitation or permission, in writing or otherwise. 

Again, the TCPA’s goal is to protect consumers and businesses from unsolicited advertisements. For brands, this means that you cannot send unsolicited marketing text messages to consumers without their voluntarily giving their information to you via a website where it is made clear what their information will be used for.

Sounds pretty simple right? And it is! Except for unsubscribes, and a variety of other guidelines and rules. Don’t worry, we’ll dive into each of them.

What are the penalties for violating TCPA?

OK, so what happens if you break the law and violate TCPA? Great question! 

You will be fined. A lot. 

Fines range from $500-$1,500 per violation, and they are the most common punishment for non-compliance. This means $500 to $1,500 per text message you send to a customer who either:

  • Did not opt-in to your SMS marketing
  • Or unsubscribed, but wasn’t taken off your list

Any and all unsolicited calls or texts qualify as TCPA violations.

A variety of companies –– large and small –– have been hit with TCPA violation class action lawsuits. They include brands like ADT, Square, a Denver-based cannabis dispensary, Jiffy Lube, and Microsoft

For Microsoft, the court ruled in favor of the company in 2015, which is good news for SMS marketers. From the ruling, however, brands must make it clear to consumers when they collect their phone number information that they will be sent SMS marketing. 

This is why it is so important to add SMS marketing terms and conditions to your website. 

In general, one text message to a consumer that is in violation of TCPA is not considered high enough volume for a lawsuit. 

Beyond that, however, you could get yourself into hot water, which is exactly what happened to Jiffy Lube. Their TCPA violation class action lawsuit resulted in a fine of $47 million

These kinds of fines are one big reason why so many companies have opted in favor of short codes, allowing consumers to clearly opt-in via a short code they can text to a specific number. 

But, short codes were created by the CTIA (another acronym!) and they have guidelines all their own.

What is CTIA? What happens if you ignore their guidelines?

The CTIA stands for the Cellular Telecommunications Industry Association. It is a trade association for wireless carriers and others that operate in the mobile space. CTIA created the common short code system, which is one of the primary ways of sending SMS marketing messages to consumers. 

As part of that Short Code system, the CTIA established guidelines for Short Code-based SMS marketing programs. They enforce those guidelines through regular audits. If the CTIA finds that you are not in compliance with their guidelines, they will report you to the mobile carriers, which may then shut down or suspend your SMS marketing program until the issue can be resolved. 

What are in these guidelines? Well, the guidelines contain rules about what consumers must be told within your messages. For instance, that message and data rates may apply, how to get help and/or stop messages from coming in, how often the customer can expect to get messages from the company, links to terms and conditions, as well as privacy policies, and more. 

The CTIA’s guidelines are not law, like the TCPA. However, a violation can cause your program to be shut down. No fines are involved.

How can businesses be TCPA and CTIA compliant?

All right –– so now that you have a good understanding of the TCPA and CTIA as well as their individual powers to either fine your organization or shut off your SMS marketing program, let’s chat through how to make sure none of that ever happens. 

There are two main rules for sending SMS marketing messages:

  • Only send to consumers who have opted in specifically for this kind of marketing
  • If / when they consumers want to unsubscribe, let them! 

That’s about it, though there are nuances of course. Let’s dive in.

1. Collecting numbers via opt ins and consent.

There are quite a few ways consumers could opt-in to your SMS marketing program. You’ll need to make sure that for each of these various opt-in points, you are being clear with the consumer about how you will use their information. 

Here are a few ways you can collect their phone number, and what you might need to have prepared to make they are properly informed in line with TCPA:

Website pop-up: This is one of the most common ways to collect SMS numbers for SMS marketing. Be sure to have a link to your terms and services, where you should have updated information about your SMS marketing practices. Also, be sure you make it clear to consumers when gathering their phone number here that it will be used for marketing purposes, that they can opt-out at any time, and that you never share their information with anyone.


JUDY SMS Compliance Example
This is a beautiful example from JUDY of an SMS capture pop-up.

An ecommerce checkout: Ecommerce platforms like Shopify make the collection of SMS numbers at checkout incredibly easy, and common. Many consumers opt-in here expecting shipping and delivery SMS updates. Be sure that if you are going to use these numbers for SMS marketing as well, that you are clear about that at checkout. For most Shopify stores, the generic language only explains that their number will be used for shipping and delivery updates. It is worth it to be overly clear and communicative here.

Hydrant SMS Compliance Example

What an SMS pop-up during checkout can look like. This example is from Hydrant. 

Another example of what capturing SMS at checkout may look like. This example is from RugsUSA.

Email marketing: You might be thinking it’d be a good idea to see if folks on your newsletter list would like to join your SMS marketing list. It is a pretty good idea! Just be sure not to opt them in without them knowing (we’ll cover that in a bit). You can even use smart links in email for a “click to text” option that pulls up a consumer’s text message tool on their computer or mobile phone to send a quick short code and opt-in. Be sure in that email to make it clear how consumers can opt-out once they are opted in and what you will use SMS marketing for.

This example from Express shows you a tap to text option, and was found in their email newsletter. Notice the asterisk and information there? Yep –– they are TCPA and CTIA compliant!

Click to text: You can use click to text in email marketing, as mentioned above, but also really just anywhere. Perhaps your site drives traffic that comes mostly from mobile phones, and many of them are reading your blog. It might make sense in there to have folks click to text short codes to opt-in for updates about new blog posts, or new reviews, or anything really that makes sense for your brand and what that consumer is looking for. Just be clear, similar to all the other options here, in how consumers can opt-out and what kind of information you will be sending them. (Example of this above!)

Gated piece of content: Many brands create checklists, online courses, or a variety of other assets and offer them for free with the exchange of an email or phone number. Cool! Just be sure that if you are asking for a phone number, you can clear in your messaging what that number will be used for. Also, be sure that your first message to them includes a link to the asset they were trying to get. The golden rule pays off in dividends in these scenarios. What kind of information would you want to have sent to you from a brand, and what kind of heads up would you think appropriate?

NaturAll Club SMS Compliance Example

This example is from NaturAll Club, and appears at the end of their online hair quiz. Want your results? Enter your number (and get 10% off!).

Handset: If you have a sales team, customer service teams, or even just allow for folks to call in, be sure you have a script or verbiage ready for those employees to capture phone numbers for your SMS marketing campaigns. Also, be sure that the script includes language that explains to the consumer what their number will be used for, and that they can opt-out anytime. 

POS system: If you also run a brick-and-mortar shop, or ever do any kind of pop-ups and use a POS system, you can collect SMS numbers through checkout. Here, you should do two things. Have a script or have your employee trained to ask customers if they would like to be added to the sms marketing list, and then have the customer check a box or confirm that on the POS system itself as they check out.

Hold on, can’t I just use this list of customer phone numbers I already have? 

No. Absolutely you can not. You must have consent from the consumer before you opt them in to any SMS marketing campaign. That is, the consumer must know that they will be getting a text from you because they agreed to have that marketing text sent to them. 

What happens if you ignore that law? Let’s do the math… 

Say, you have 5,000 people on your email newsletter list and you want to send out a new SMS marketing campaign to them. Say, you have 3 text messages in that campaign over the course of a week. 

So, that gets you 15,000 texts to 5,000 people. Your fines for doing so could amount to $7,500,000 on the low side to upwards of $22,500,000.

Can your business afford that? Will those 3 texts generate that much revenue? No. The answer is no. 

Do not just send an SMS marketing campaign to folks who have given you their phone number information without them specifically signing up for SMS marketing. 

Remember: Customers are giving you access to their most personal and private device — their mobile phone number. Use this privilege wisely, respect people’s privacy, and treat others as you wish to be treated (the golden rule).

2. Managing unsubscribes in compliance with TCPA.

Similar to email marketing, you are required to allow consumers to unsubscribe or opt-out of your SMS marketing. Unlike email marketing, there isn’t an easy link they can click in your SMS messages that allows them to do that. 

Instead, most consumers simply respond to a text saying, “Stop,” “No,” “Don’t message me,” “Unsubscribe,” or whatever else makes the most sense to them. This creates what is known as fuzzy opt-outs –– when a consumer tries to opt-out of text message marketing using whatever terms they want. 

There are easy words to predict consumers might use. And then, there are misspellings, and a whole host of other potential fuzzy opt-out options. 

And letting consumers opt-out is a key part of the TCPA. So, you need to have a tool that can recognize all fuzzy opt-out language and successfully opt those consumers out when they ask (or pay a serious price). 

Here are just some of the fuzzy opt-out terms Postscript recognizes:

  • STOP
  • stpop
  • stpo
  • end
  • unsubscribe
  • cancel
  • do not text
  • do not call
  • don't text
  • don't call
  • take me off
  • wrong number
  • remove me
  • ***k you
  • ***k off
  • eat ***t
  • do not contact
  • don't contact
  • do not message
  • stop texting
  • stop ****ing texting
  • unsubscribe me
  • stop sending texts
  • stop sending me texts
  • Stop the text, please!
  • Stop sending me text message! I have asked many times and you continue to send them to me!
  • Stop 🛑
  • STOP SENDING ME THESE TEXTS... I already ordered one and I don't want to keep getting texts from you
  • Please remove. Thanks.
  • Stop all texts to me!
  • Please delete me from your text list. Thanks so much!
  • Stop sending me text
  • Stop sending these, please!
  • Remove this number
  • Do not text
  • Remove my phone number
  • Stop all
  • Quit texting me you already ripped me off
  • Please remove my number from your system. Thank you!

3. How do long codes and short codes apply to TCPA and CTIA?

To really understand how short code and long codes apply to TCPA and CTIA, here is a bit of history on short codes from the CTIA

  • In the early 2000s, CTIA and other messaging ecosystem stakeholders developed the short code platform (i.e. five or six digit codes) to facilitate the appropriate use of bulk wireless messages. Short code messages enable wireless messaging campaigns that are vetted by wireless providers. The combination of upfront vetting with ongoing auditing means that short codes can enable high-volume messaging campaigns while minimizing the risk that short codes will be used to distribute unwanted messages. 
  • In 2009, building on the successful SMS and MMS inter-carrier interoperability initiative, CTIA and messaging stakeholders expanded the SMS Interoperability Guidelines to guide how non-mobile networks could exchange SMS message traffic with mobile wireless networks. 
  • In 2011, CTIA and the messaging stakeholders further expanded the SMS Interoperability Guidelines to include cloud-based services that use 10-digit NANP telephone numbers, and addressed unwanted message risks associated with this expanded ecosystem. 
  • In 2014, as the messaging ecosystem evolved, CTIA and messaging stakeholders also revised the SMS Interoperability Guidelines to account for group messaging and text-enabled toll-free telephone numbers. All of these efforts have been premised on the common goal of maintaining and enhancing a dynamic and competitive wireless messaging ecosystem, while limiting consumers’ exposure to unwanted messages. In pursuit of this goal and consistent with these Principles and Best Practices, messaging ecosystem stakeholders should promote the exchange of wanted messages among wireless consumers and enterprises, minimize risks to wireless consumers of receiving unwanted messages, and conduct fair dealing with each other, as well as comply with applicable laws and obligations. 

In general, the TCPA doesn’t have anything to do with short codes or long codes. The CTIA does, which is the coalition of mobile carriers. Short codes and long codes must be registered with the CTIA, though typically tools like Postscript can do that for you. 

Registration takes only 24-48 hours, and you should be able to use your code in compliance with both the CTIA and TCPA immediately after it is registered. 

What is a short code?

A short code is an easy to remember 5 to 6 digit number that texts are sent from. It allows you to both send SMS as MMS. At Postscript, we ensure that your customers will not receive any other marketing from other companies using our short codes (called cross talk). Cross talk can confuse customers and lead to bad customer experience.

4. Disclose that message and data rates apply.

According to the CTIA guidelines, you are required to let consumers know that data rates and carrier fees may apply to the texts they receive from your brand. This can be as simple as saying in your first text to consumers, “Msg & data rates may apply.”

5. Make sure you send at the appropriate time.

The TCPA is in place for consumer protection. One really good way to make sure you don’t end up in court over your text messages is to simply not annoy the people who are signed up for it. One way to do that is no to send messages at inappropriate times. 

Remember, a lot of people keep their phones on loud in case of an emergency. So, if your audience is spread across time zones, and you send a message at 9 a.m. Eastern Time, you are hitting your California folks at 6 a.m. Not ideal. 

Again, the golden rule is the best way to think through all of this. Would you want to receive this message at this time? If the answer is no, don’t send it.

6. Content matters; AKA, don’t spam.

You’ve done a lot of work at this point to have gotten consumers to subscribe to your SMS marketing campaigns, to make sure you are unsubscribing them whenever they want, to check in and make sure that it isn’t some weird morning or late night hour. Please, make sure that the content of what you are sending them is aligned with your brand, and adds value.

In other words, don’t send people spam just for the sake of being “top of mind.” Provide value. Wish them Happy Birthday! Tell them about a new drop or a new influencer. Send them helpful content in line with your brand mission. 

Whatever you do, don’t send messages just for the sake of sending them. 

How can tools and technology help businesses stay TCPA and CTIA compliant?

SMS marketing tools and technology can take away the majority of the heavy lifting of TCPA and CTIA compliance. POstscript, for instance, gives you a copy and paste terms and conditions language, sets up short codes and registers them, gives you a variety of options for collecting SMS numbers for your campaigns (including click to text, pop-ups and more), and helps you to manage campaigns so that you send information at the right time. 

Literally, SMS marketing tools enable you to focus on only two things instead of everything that is listed out in this article:

  • How you collect the numbers
  • And how you keep people subscribed. 

This means you get to focus on the branding of your campaigns, and the purpose of them. Then, you get to measure engagement and their ultimate success, making tweaks where needed to grow your list and continue to drive traffic –– all without waking up at 3 a.m. wondering if there’s a class action lawsuit coming your way. 

There won’t be when you use tools like Postscript, because compliance is handled for you. 

Of course, there is a bit of research you must do on your end. Many businesses, for instance, like to use Twilio for SMS marketing. Tools like Twilio, however, do not manage fuzzy opt-outs, or a variety of other compliance factors. Yes, the tool allows you to easily send SMS marketing campaigns in an inexpensive way, but non-compliance fees could eventually shut your entire business down through bankruptcy.

TCPA & CTIA Guidelines & a Checklist for Ecommerce Marketers

Whether you choose to use a tool like Postscript that manages the majority of TCPA and CTIA compliance regulation for you, or if you decide to set up a system yourself with a service like Twilio, it is good to have a quick hit list of what you need to know. 

Hand this off to your marketer, or to your boss. Make sure your sales teams know about it, and have a script they can speak to to help get new folks sign up appropriately.

Here is what is required by the TCPA and CTIA of any brand looking to use SMS marketing campaigns: 

  • Get permission from your consumers to message them.
  • Acquire an individual’s explicit consent to receive informational messages via SMS text message.
  • Acquire an individual’s express written consent to receive marketing messages via SMS text message. Written permission may include electronic or digital forms of signature (such as a website form, text message, or email).
  • Maintain a record of each individual’s consent.
  • Disclose useful information and opt-out instructions.
  • Offer the ability to revoke consent and opt-out at any time (e.g., a STOP keyword and other fuzzy opt-outs).
  • Disclose that message and data rates may apply.
  • If you are asking people to subscribe to a recurring SMS text message campaign (such as a weekly or monthly updates), then clearly explain the regularity of text messaging (i.e. “sign up for weekly updates”).
  • Message thoughtfully, carefully, and be smart. Do not include content that involves illegal behavior or substances, violence, adult content such as nudity, profanity, or hate speech.
  • Message people between the hours of 9:00 am and 9:00 pm, local timezone.
  • Be specific. Messaging “Text YES to ### subscribe to Pony Express HQ’s weekly update and receive deals” is more likely to increase your opt-in rate than a message like “Text YES to subscribe.”

Start your 30-day trial

Launch your first SMS marketing campaign in minutes. All you need to get started is your Shopify URL. 

Tracey Wallace Headshot
Written by Tracey Wallace

Tracey Wallace is a freelance writer and researcher for Postscript and SAP. She is also Head of Marketing at Eterneva, a grief wellness company. Prior to Eterneva, she ran global content marketing and strategy for BigCommerce, the leading SaaS ecommerce platform for enterprise and B2B brands.