SMS Compliance (US): A Guide to SMS Marketing Regulations

Clear and direct, SMS marketing is the number one way to reach existing and potential customers on a mass scale. 

But that doesn’t mean you can bombard people with messages at any time of day or night. It’s bad practice, and recipients will quickly become frustrated and opt out, undoing all of your hard work and seriously reducing your ROI. However, more importantly, you could be violating federal and state privacy laws – risking costly lawsuits and damage to your business’ reputation. 

This guide will look at the current US privacy laws, including how they differ across states, and show how you can not only remain compliant but also ensure your SMS marketing is as effective as possible.

SMS Marketing Regulations You Need to Know

Unlike the EU and UK, where the General Data Protection Regulation (GDPR) applies, US citizens are protected by a patchwork of federal and state laws. 

Recently, we’ve seen a number of states implement their own comprehensive privacy laws – 15 at the time of writing. With more states set to follow over the coming years, there has been a marked shift from ‘harm prevention’ to ‘rights based’ legislation that is more akin to GDPR. Any company targeting people in these states must comply with each state’s law and prepare for other changes in the future.

While you’re ultimately responsible for ensuring compliance in every state, a single communications platform can give you visibility across all your channels – helping you easily manage consent and protect customers’ data.

The Telephone Consumer Protection Act (TCPA)

The TCPA was implemented in 1991 in response to the growing number of telephone marketing calls, including automated ones. In the years that followed, additional rules were put in place to protect people from unsolicited calls – including requiring prior written consent, and allowing them to opt out. 

SMS is included in the TPCA but there are no specific rules on other forms of communications such as WhatsApp and email. But that doesn’t mean you can circumvent the law by choosing these channels. Poor practices will harm your brand, and you’re likely to be breaching other privacy regulations such as the ones being rolled out by different states.

Violations of TPCA can result in action from the US Federal Communications Commission (FCC) as well as private lawsuits. The cost depends on the seriousness of the violation – but it’s worth noting that in 2023, the FCC issued its highest fine ever: $299,997,000 for 10 companies found guilty of making more than five billion illegal robocalls. 

Cellular Telecommunications Industry Association (CTIA)

As well as laws, there are also voluntary SMS guidelines to follow – namely the Messaging Principles and Best Practices (Principles and Best Practices), developed by the Cellular Telecommunications Industry Association (CTIA). These guidelines stipulate that ‘non-consumers and consumers can exchange wanted messages; and consumers are protected from unwanted messages.’

Though not enforceable by law, the guidelines must be adhered to otherwise businesses risk being blocked and will therefore be unable to communicate with their customers. 

SMS Marketing Best Practices

The TPCA and state-level regulations, together with the CTIA, should give you a clear idea of your obligations and provide a framework for best practices. Below, we highlight some of the most important considerations – but it’s vital that you stay up to date with changing legislation, and the nuances of different states. 

Easy Opt-Outs

SMS marketing best practices center on consent – so you need to offer recipients an easy way out if they choose. So, not only do you have to obtain explicit consent to send messages in the first place, you also need to make it easy for people to revoke consent at any point. Under the TPCA, marketing teams must offer an ‘automated, interactive “opt-out” mechanism during each robocall so consumers can immediately tell the telemarketer to stop calling.’ This applies to any form of communication over the phone, including SMS.

Clear consent 

The TPCA states that ‘express consent’ must be obtained before they can be contacted by phone. This is easy enough to do with customers who have already engaged with your business – simply include an opt-in button on your website. 

You can buy contacts to grow your database, but you must ensure that they are TPCA compliant and that you continue to follow the rules (e.g. providing a clear way to opt out). 

The CTIA has also outlined different levels of consent, depending on the type of conversation:

• Conversational: Where a consumer has initiated a conversation with a business or other organization, consent is implied because it’s assumed they will expect a response. 
• Informational: Consumers must give express consent, either written or verbally. Examples could include a customer agreeing to SMS updates on a delivery following a purchase online or in store.
• Promotional: The tightest rules apply to marketing messages, where express written consent is needed. But this is easy to implement via an opt-in checkbox when they submit their details when creating an account or making a purchase. It’s worth splitting out SMS from other forms of communication, such as email, so you can communicate with customers on their preferred channel and reduce the risk of a blanket opt-out. 

Time restriction

According to TCPA rules, you’re not permitted to send communications, including SMS, before 8am or after 9pm. However, in some states, the cut-off time is 8pm so check for any variations, and make sure you’re up to date on any new regulations as they are enacted. Since the US covers multiple time zones, it’s important to use your communications platform to make sure you pick the right times for your communications. 

Identification Requirements

Messages must include the sender’s name (sender ID), with the name of the organization and its contact details. This is not only a legal requirement, it’s also good practice. Consumers are likely to trust a message from a business that doesn’t try to hide its identity. 

Internal and National Do Not Call (DNC) lists

You need to keep up-to-date internal and national do not call lists in line with customers’ wishes. As the FCC states, the fact that millions of people have opted out isn’t a bad thing for marketers since it allows them to target their communications more effectively. 

Federal and state DCN lists can vary so check both to avoid breaching the rules.

Common Issues 

As with any regulations, there are a number of gray areas that could cause you to inadvertently break the law. It’s therefore vital that you bear in mind the following:

Residency issues

Since regulations vary by state, problems can arise from people having different area codes to where they currently reside. This is why it’s important to nurture your customer relationships, and encourage them to update their details if they move to another state.

Reassigned numbers

Reassigned numbers can cause an issue for businesses because you might inadvertently contact someone who hasn’t consented to marketing. The FCC’s Reassigned Numbers Database (RND) can help you find out whether or not a number has been reassigned, and see whether someone has opted out of communications by phone. 

Staying Compliant 

As we have seen, the laws around data privacy and communications are complex and ever-changing, with differences between states and other countries. Regulations and best practices not only protect consumers from fraud and unwanted communications, they also raise standards and ultimately help not hinder marketers. 

This is why it’s important to work with an SMS messaging provider offering end-to-end data protection, with ISO 27001 compliance and expertise in delivering bulk SMS to both local and international customers. 

To find out how we can help you cut through the complexity and connect with your customers, get in touch with our expert team today.