Marketing7 min read

SMS Marketing Compliance: TCPA & GDPR Guide 2026

Navigate SMS marketing regulations and compliance requirements. TCPA rules, GDPR consent, opt-in best practices, and message frequency guidelines.

Digital Applied Team

January 29, 2026

7 min read

$1,500

Max TCPA Fine Per Message

4–8

Recommended Monthly Messages

4 Years

TCPA Records Retention

98%

SMS Open Rate

Key Takeaways

TCPA violations carry fines of $500–$1,500 per message: The Telephone Consumer Protection Act is one of the most litigated statutes in US law. Each non-compliant SMS can trigger statutory damages, and class actions involving millions of messages can result in multi-billion-dollar exposure for brands.

Express written consent must precede every promotional SMS: Under TCPA, you must obtain clear and conspicuous written consent before sending marketing text messages. Verbal consent is insufficient. The FCC's one-to-one consent rule, effective January 2025, means consent obtained for one brand cannot be shared across marketing partners.

GDPR adds a lawful basis requirement on top of opt-in: EU subscribers require both a valid lawful basis (legitimate interests or explicit consent) and an easy withdrawal mechanism. SMS marketing almost always requires explicit consent under GDPR, not merely a soft opt-in or pre-checked box.

Opt-out processing must be immediate and complete: STOP commands must be honored within 10 business days under TCPA. GDPR requires withdrawal to be as easy as giving consent. Delayed opt-out processing or re-subscribing contacts who texted STOP is among the most common compliance failures.

Documented consent records are your legal defense: Maintain timestamped records of exactly when, how, and where each subscriber consented, along with the exact disclosure language shown. Without this documentation, you cannot defend against TCPA class actions or GDPR enforcement actions.

The Regulatory Landscape

SMS marketing sits at the intersection of telecommunications law, data protection regulation, and consumer protection rules. Brands that get it wrong face a combination of statutory fines, class action exposure, and carrier-level blocking that can permanently damage their mobile channel. The regulatory environment in 2026 is more stringent than ever following the FCC's one-to-one consent rule and GDPR enforcement actions against major brands.

Three frameworks govern SMS marketing for most businesses: the Telephone Consumer Protection Act (TCPA) for US contacts, the General Data Protection Regulation (GDPR) for EU contacts, and the CTIA's messaging principles and best practices that apply to carrier network access regardless of geography. Additional jurisdictions including Canada (CASL), Australia (Spam Act), and individual US states add layers that globally operating brands must address.

Regulation	Jurisdiction	Primary Requirement	Max Penalty
TCPA	United States	Prior express written consent	$1,500/msg (willful)
GDPR	European Union	Explicit consent + lawful basis	€20M or 4% of global revenue
CASL	Canada	Express or implied consent	$10M CAD per violation
CTIA Guidelines	US Carriers	Opt-in keywords + opt-out handling	Channel blocking

2025 Regulatory Change

The FCC's one-to-one consent rule took effect January 27, 2025. Consent collected through lead generation forms that bundle multiple brands is no longer valid for TCPA purposes. Each brand must independently collect and verify consent with a direct relationship to the consumer.

TCPA Requirements for SMS

The Telephone Consumer Protection Act of 1991 remains the primary federal law governing commercial text messages in the United States. Despite its age, TCPA has adapted through FCC rulemaking to cover modern SMS marketing practices. Private plaintiffs and class action attorneys actively enforce it, making TCPA compliance essential for any brand messaging US consumers.

Prior Express Written Consent

Must be obtained before any promotional or marketing SMS. Includes a clear disclosure that the consumer will receive autodialed marketing texts and the number they are consenting for.

Autodialer Definition

The Supreme Court narrowed the TCPA's autodialer definition in 2021 (Facebook v. Duguid), but the FCC has maintained broad interpretation. When in doubt, treat all SMS platforms as regulated autodialers.

Opt-Out Compliance

Honor STOP, QUIT, CANCEL, UNSUBSCRIBE, and END commands within 10 business days. Send a single confirmation, then cease all marketing messages. Re-subscribing contacts who opted out without their renewed consent is prohibited.

Transactional vs. Promotional

Transactional messages (order confirmations, appointment reminders) require only informational consent. Promotional messages require prior express written consent. Mixing promotional content into transactional threads requires full promotional consent.

Required TCPA Consent Disclosure Language

Your opt-in forms and consent capture mechanisms must include language that clearly identifies: who is sending the messages, the nature of the messages (marketing/promotional), that message and data rates may apply, an estimated message frequency, how to opt out (reply STOP), and a link to your terms and privacy policy. Here is an example disclosure:

"By checking this box, I agree to receive recurring automated marketing text messages (e.g., cart reminders, promotions) from [Brand Name] at the mobile number provided. Consent is not a condition of purchase. Message frequency varies. Message & data rates may apply. Reply STOP to unsubscribe. View our Privacy Policy and Terms of Service."

One-to-One Consent (2025)

Since January 2025, consent collected via lead generation sites that list multiple brand partners is invalid. The FCC requires a clear, conspicuous, one-to-one disclosure between the consumer and your specific brand. Update any co-registration or lead-gen consent forms to comply.

GDPR Consent Standards

The General Data Protection Regulation applies to any business that processes personal data of EU residents, regardless of where the business is incorporated. SMS marketing almost universally involves collecting and processing mobile phone numbers — personal data under GDPR — which triggers comprehensive obligations around lawful basis, transparency, and individual rights.

GDPR Article 6 requires a lawful basis for processing personal data. For direct marketing via SMS, the only practically viable lawful bases are explicit consent (Article 6(1)(a)) or legitimate interests (Article 6(1)(f)). However, GDPR Recital 47 and the ePrivacy Directive (applied in most EU member states) make it difficult to rely on legitimate interests for unsolicited electronic marketing. In practice, explicit consent is required.

GDPR Consent Requirement	What It Means for SMS	Compliant Practice
Freely Given	Not bundled with service terms	Separate, unchecked checkbox
Specific	Separate consent per purpose	Distinct SMS vs. email opt-ins
Informed	Clear disclosure of who sends, what, when	Named sender, message type, frequency
Unambiguous	Affirmative action required	No pre-ticked boxes, no soft opt-in
Withdrawable	As easy to withdraw as to give	Instant STOP processing + preference center

Data Subject Rights in SMS Context

EU subscribers retain all GDPR data subject rights in relation to their phone number and messaging history. You must be able to respond to: right of access (provide all data held), right to erasure (delete their number and history), right to portability (export their data), and right to object to processing. Your SMS platform must support these operations programmatically.

Opt-In Best Practices

Collecting valid consent is the foundation of SMS compliance. The method through which you capture opt-ins determines your legal defensibility, subscriber quality, and long-term list health. Each opt-in method carries different compliance requirements and conversion trade-offs.

Web Form Opt-In

High ComplianceMedium Conversion

Separate, unchecked checkbox specifically for SMS
Full disclosure language adjacent to checkbox
Double opt-in confirmation message recommended
Capture and store the form URL with timestamp

Keyword Text-In

High ComplianceHigh Conversion

Consumer texts a keyword (e.g., JOIN) to your short/long code
Auto-reply confirms enrollment and restates terms
Reply STOP in confirmation initiates immediate opt-out
Log keyword, number, timestamp, and confirmation delivery

Point of Sale / Paper Form

Medium ComplianceMedium Conversion

Written consent language must include all TCPA disclosures
Scan or digitize the signed form for recordkeeping
Best practice: send a double opt-in text to verify the number
Staff training required to explain the consent terms

Co-Registration / Lead Gen

Low (post-2025) ComplianceHigh (volume) Conversion

No longer valid for TCPA under one-to-one consent rule
Shared consent across multiple advertisers is prohibited
Legacy lists collected via co-registration require re-consent
Migrate to first-party opt-in methods immediately

Message Content Rules

Even when you have valid consent, the content of your SMS messages must meet regulatory and carrier requirements. Message content violations can trigger carrier filtering, short code suspension, and consumer complaints that invite regulatory scrutiny. The CTIA publishes mandatory messaging guidelines that carriers enforce independently of TCPA and GDPR.

Required Message Elements

Brand name or sender identification in every message
Opt-out instructions (STOP to unsubscribe) in first message of campaign
HELP keyword support — must reply with contact information
Clear disclosure when message contains a promotion or offer
Accurate description of any time-limited offer or deadline

Prohibited Content

SHAFT content: Sex, Hate, Alcohol, Firearms, Tobacco (carrier-blocked)
Cannabis and CBD (regardless of local legality)
Phishing-style links or deceptive sender identification
Debt collection in violation of FDCPA rules
Misleading price claims or false urgency tactics

URL and Link Compliance

Links in SMS messages are subject to carrier scrutiny. Avoid URL shorteners from public services like bit.ly, as these are associated with spam and frequently blocked. Use branded short domains or your own domain-level short links. Ensure the landing page destination matches the message content — deceptive or mismatched destinations trigger carrier filtering and FTC enforcement risk. Always use HTTPS links.

Frequency Management

SMS has the highest open rate of any marketing channel (98%) and the most intimate delivery method — directly to a subscriber's pocket. This intimacy makes frequency management critical not only for compliance but for subscriber satisfaction and list longevity. Sending too frequently drives opt-outs, complaints, and eventually carrier filtering.

Business Type	Recommended Frequency	Opt-Out Rate Threshold	Notes
eCommerce	4–8 messages/month	<3%	Higher during sale periods
Restaurants / Local	2–4 messages/month	<2%	Tied to events/specials
B2B Services	1–2 messages/month	<1%	Content-led, not promotional
Retail Flash Sales	2–3 per event	<5%	Must disclose at opt-in

The frequency disclosed in your opt-in consent must accurately reflect actual sending behavior. Disclosing "up to 4 messages per month" and sending 15 is a TCPA compliance issue because the consent was obtained under misleading terms. If your frequency changes, notify subscribers and obtain renewed consent for significantly increased volumes. Sending times also matter: avoid messages before 8 AM or after 9 PM in the recipient's local time zone per TCPA quiet hours provisions.

Record Keeping Requirements

In TCPA litigation, the burden shifts to the defendant to prove they had valid consent. Without detailed consent records, you cannot mount a defense. GDPR similarly requires you to demonstrate compliance under the accountability principle. Robust record keeping transforms compliance from a cost center into your primary legal defense mechanism.

Consent Records

4 years minimum (TCPA) / indefinitely (GDPR)

Exact consent disclosure text shown at point of opt-in
Timestamp of consent (date, time, timezone)
Capture channel (web form URL, keyword, POS, paper form)
IP address for web form opt-ins
Phone number in E.164 format
Identity of the brand that collected consent

Opt-Out Records

4 years minimum

Timestamp of STOP message or opt-out request
Processing timestamp (when removed from active list)
Suppression list entry confirmation
Any re-opt-in requests with new consent documentation
Complaint records tied to post-opt-out messages

Message History

2–3 years

Content of messages sent to each subscriber
Delivery timestamps and status
Campaign names and identifiers
Phone number delivery logs

Platform Export Strategy

Do not rely solely on your SMS platform to retain consent records. Export and archive consent data to your own secure storage (CRM, data warehouse, or dedicated compliance system) monthly. Platforms can be migrated, accounts can be suspended, and data can be lost during vendor transitions.

Compliance Monitoring

SMS compliance is not a one-time setup — it requires ongoing monitoring of metrics that signal risk before they become regulatory problems. Proactive compliance monitoring lets you identify and correct issues before they escalate to complaints, FTC inquiries, or litigation.

Opt-Out Rate

<3%

Reduce frequency or improve targeting

Complaint Rate

<0.1%

Review content and consent quality

Delivery Rate

>95%

Clean invalid numbers from list

Annual Compliance Review Checklist

Audit all opt-in forms for current TCPA disclosure language and one-to-one consent compliance
Verify opt-out processing time meets 10 business day requirement and review any exceptions
Confirm suppression lists are synchronized across all platforms and sending systems
Review message frequency against disclosed amounts in consent forms
Test HELP and STOP keyword responses on all short codes and long codes
Confirm consent record exports are complete and backed up outside SMS platform
Review any complaints received and trace root cause through consent records
Update EU subscriber data processing documentation for GDPR accountability requirements
Conduct vendor due diligence on SMS platform's compliance certifications
Review legal landscape for any new FCC rulemakings or state-level SMS laws

For brands with significant SMS programs, consider a dedicated compliance officer or retaining outside counsel with TCPA expertise for annual audits. The legal landscape evolves rapidly — state attorneys general, FTC enforcement actions, and private litigation continue to refine what "compliant" looks like in practice. Stay subscribed to FCC notices and CTIA updates.

For deeper context on managing compliant subscriber communications across channels, our CRM & Automation service outlines how to build compliant multi-channel subscriber management. You can also explore email deliverability best practices and email and CRM integration strategies for building a unified compliant communication program.

Frequently Asked Questions

Build a Compliant SMS Program That Scales

SMS marketing delivers unmatched open rates and direct customer access — but only if your compliance foundation is solid. We help brands design opt-in flows, consent documentation, and monitoring systems that satisfy TCPA, GDPR, and carrier requirements while maximizing subscriber list growth.

Get Started Content Marketing Services

TCPA-compliant opt-in designGDPR consent documentationOngoing compliance monitoring